Parallels Containers for Windows might be installed with Parallels Dispatcher for management of containers by PACI, and few components are compiled with vulnerable OpenSSL version.
This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using one of the following distributions:
- Debian Wheezy (stable) (vulnerable OpenSSL 1.0.1e-2+deb7u4, fixed in OpenSSL 1.0.1e-2+deb7u5)
- Ubuntu 13.10 (vulnerable OpenSSL 1.0.1e-3ubuntu1.1, fixed in OpenSSL 1.0.1e-3ubuntu1.2)
- Ubuntu 12.10 (vulnerable OpenSSL 1.0.1c-3ubuntu2.6, fixed in OpenSSL 1.0.1c-3ubuntu2.7)
Ubuntu 12.04.4 LTS (vulnerable OpenSSL 1.0.1-4ubuntu5.11, fixed in OpenSSL 1.0.1-4ubuntu5.12)
The package version for Debian/Ubuntu can be checked using the command:
~# dpkg -l openssl
- RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.4, fixed in OpenSSL 1.0.1e-16.el6_5.7)
- Fedora 18 (OpenSSL 1.0.1e-4 without update: Fedora 18 is no longer supported)
- Fedora 19 (fixed in OpenSSL 1.0.1e-37.fc19.1)
- Fedora 20 (fixed in OpenSSL 1.0.1e-37.fc20.1)
- OpenSUSE 12.2 (vulnerable OpenSSL 1.0.1c, fixed in OpenSSL 1.0.1e-1.44.1)
OpenSUSE 13.1 (fixed in OpenSSL 1.0.1e-11.32.1)
The package version for Redhat/CentOS and OpenSUSE can be checked using the command:
~# rpm -q openssl
OpenSSL 0.97a and 0.98e (in RedHat/CentOS 5) are not vulnerable. According to RHSA-2014-0376, only Redhat 6.5 has a vulnerable version of OpenSSL.
Debian Squeeze it not vulnerable, as stated in Debian Security Advisory DSA-2896.
Other supported Ubuntu releases are not vulnerable, as per Ubuntu Security Notice USN-2165-1.
Corresponding security updates for Fedora:
Fixes for OpenSUSE provided in OpenSUSE Security Announcement openSUSE-SU-2014:0492-1.
Hardware node update
Operating system vendors have issued fixes, which have been incorporated by all major distributions. You must apply OpenSLL updates by:
Hardware servers with PCS:
~# yum clean all; yum update openssl
Hardware servers with PSBM: using
- KB #113945 Installing updates on Parallels Server Bare Metal 5 node
Hardware servers with PVC:
~# yum clean all; yum update openssl
- KB #1170 How do I keep a PVC installation up-to-date?
Note: PSBM, PCS and PVC for Windows use SSL for internal communication with Dispatcher only, this significantly decreases risk of compromise but anyway it is highly recommended to apply fixes for SSL as it might be used by some other 3rd party services.
Rebuilt version of Parallels Dispatcher with newer OpenSSL version is available:
- KB #121002 Parallels Cloud Server 6.0 Update 5 Hotfix 11 (6.0.5-1811)
- KB #121003 Parallels Server Bare Metal 5.0.0 Update 9 Hotfix 4 (5.0.0-1340)
- KB #121129 Parallels Virtuozzo Containers for Windows 4.6 and Parallels Virtuozzo Containers for Windows 6.0
PVA Power Panel and PVA MN
Parallels Virtual Automation uses not vulnerable version of OpenSSL, and also it uses system OpenSSL for web-based services via Apache.
PVA Power Panel uses Apache web-server running on the host, update OpenSSL and restart of Apache on the hardware node is needed:
~# service httpd restart
PVA Management Node uses Apache and OpenSSL of the system it is installed into, update the installation according to its type and restart services:
in a container:
~# vzctl update CTID
in a virtual machine or on a physical server:
~# yum clean all; yum update
Applying fix to containers
For existing containers:
~# vzpkg update CTID
or a single package specifically:
~# vzpkg install CTID -p openssl
Operating system template cache(s) should be recreated:
~# vzpkg update cache DISTR-VER-ARCH
After the update is applied all the services relying on OpenSSL should be restarted:
- Restart SSH server, OpenVPN, Apache.
- Restart any other services running on the host operating system dependent on OpenSSL.
- KB #121016 - summary article for all Parallels products