[ome-devel] OMERO system administration advice for the OpenSSL "heartbleed" vulnerability

Roger Leigh r.leigh at dundee.ac.uk
Mon Apr 14 14:53:15 BST 2014 

Last week, a serious vulnerability in OpenSSL was published¹, named
"heartbleed", which allows the TLS heartbeat extension to be used to
retrieve secret keys and other information from services using OpenSSL.
  If you use OpenSSL on your system, you must update it immediately if
you have not done so already.  Linux distributions made updates
available last week; please update using your package manager.

OMERO itself is not vulnerable.  None of the packages we provide include
or depend upon OpenSSL directly.  The OMERO.server IceGrid services use
Java, which provides its own SSL implementation which does not contain
the vulnerability.

While OMERO is not vulnerable, other services which OMERO depends on and
which use OpenSSL are vulnerable.  If you use OMERO.web, the web server
may be vulnerable if using HTTPS.  OMERO.grid (and IceGrid services in
general) also use SSL.  The IceSSL library is linked against OpenSSL on
Linux and Windows systems. Users of this library or of IcePy may be at
risk.  ZeroC have provided specific information about which Ice versions
are vulnerable and must be updated².  In all cases, make sure you are
not using a vulnerable version of OpenSSL and Ice.


A summary of the affected versions:

- OpenSSL versions 1.0.1 - 1.0.1e contain the vulnerability
- OpenSSL 1.0.1g is the fixed version
- OpenSSL 1.0.0 and earlier are unaffected

Linux systems: update using your package manager
MacOS systems: if using Homebrew openssl, update with Homebrew; the
system libSSL is unaffected
Windows: if using the ZeroC Ice 3.5.0 or 3.5.1 packages, update to 3.5.1-1
FreeBSD: the ports tree contains the fixed version

Note that on Linux and FreeBSD, the Ice packages do not require updating
since the vulnerability is in OpenSSL.  Updating OpenSSL is sufficient.
  We do not currently support Ice 3.5.x on Windows using the ZeroC Ice
packages, so most OMERO servers running on Windows are using Ice 3.4 and
so will be unaffected by the vulnerability.  Should you have built your
own version of Ice 3.5 on Windows for use with OMERO, it will require
rebuilding against the updated third party dependencies package.


If you have any questions, please direct them to our forums or mailing
lists.


[1] http://heartbleed.com/
[2] http://doc.zeroc.com/pages/viewpage.action?pageId=7897804



Regards,
Roger Leigh

--
Dr Roger Leigh -- Open Microscopy Environment
Wellcome Trust Centre for Gene Regulation and Expression,
College of Life Sciences, University of Dundee, Dow Street,
Dundee DD1 5EH Scotland UK   Tel: (01382) 386364

The University of Dundee is a registered Scottish Charity, No: SC015096

More information about the ome-devel mailing list