Peter Gale Apr 17 •
Announcements / Announcements
We are posting this information as a follow up to prior notices on the Heartbleed bug to ensure customers have reviewed the suggested steps to identify and remediate any vulnerabilities.
Heartbleed is a security vulnerability in the OpenSSL encryption software, which is used by a large portion of the secured websites/systems on the Internet, and may also be used by you in your web sites, and/or applications hosted on the Joyent Cloud platform. For additional technical details the issue is fully described here http://heartbleed.com/.
While Joyent's websites and API's were NOT affected by this bug, we would like to take the opportunity to remind our customers as best practice, to regularly change the passwords they use for my.joyent.com on some regular schedule, or as reasonable.
While Joyent services themselves were not vulnerable to Heartbleed, customers may still have application/website vulnerabilities depending on their use of OpenSSL within their Virtual Machines hosted on the Joyent Cloud or elsewhere.
Accordingly all users running https services should take the following steps if you find your version of OpenSSL is affected.
Peter Gale Apr 08 •
Announcements / Current System Status
RESOLVED - UPDATE at 08:45 PST, 15:45 UTC - April 9, 2014
This notice is to advise Joyent Public Cloud and Smart Data Center customers of the recently identified Open SSL security issue openssl CVE-2014-0160 (https://www.openssl.org/news/secadv_20140407.txt
). SmartOS users
If you use the images with their original pkgsrc repositories as intended, check which package repository your image uses by looking at /opt/local/etc/pkgin/repositories.conf. If your repository is any of the following, and you have installed the openssl package using pkgin, you are vulnerable:
You can check if OpenSSL is installed by running
pkgin ls | grep -i openssl
A patch has been prepared and updated packages have been built and added to the affected repositories as follows. The package name for each is shown alongside the repository name.
2012Q4 - openssl-1.0.1dnb3
2013Q1 - openssl-1.0.1enb1
2013Q2 - openssl-1.0.1enb2
2013Q3 - openssl-1.0.1enb3
2013Q4 - openssl-1.0.1fnb1
Customers can re-install OpenSSL with the following commands
pkgin -y up && pkgin -y in openssl
Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:
Centos/Red Hat/Fedora: https://rhn.redhat.com/errata/RHSA-2014-0376.html
Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/ Joyent Manta, CloudAPI and Portal
Please be assured that the Joyent HTTPS endpoints for Manta, CloudAPI and the portal at https://my.joyent.com
were not vulnerable to this issue. Stingray Users
Stingray instances are NOT affected by this vulnerability.
Only versions v0.10.0 and v0.10.1 were affected, the latest stable release of v0.10.26 is not affected. None of the releases for v0.8 were affected.
Peter Gale November 22, 2013 •
JoyentCloud Knowledge Articles / General Usage
As a valued customer of Joyent we want to make sure you get the best possible service from us and that your investment in Joyent based infrastructure is protected against failure and unauthorised access. The purpose of this article is to make sure that you are fully aware of the steps required to ensure recoverability and security of your VM's.
Our Terms of Service (http://www.joyent.com/company/policies/terms-of-service) sections 3.C and 3.D define your responsibility in the areas of Security and Data Preservation.
With regard to data preservation as a minimum you need to implement the following to ensure your data is recoverable in the event of a system failure.
- Take regular backups and move those backups off the VM to some form of secondary storage. This could be to one of our secondary storage options such as Manta (http://www.joyent.com/products/manta) or to machine in another physical location such as your own premises or another one of Joyent's Data Centers.
- Ensure you use the appropriate tools for your backups. Flat files can be backed up using commands such as tar, zip etc. Database systems need to be backed up using the tools recommended for the specific system. Consult the documentation for the systems you use to determine the correct backup method.
- Take backups at a frequency that will minimise data loss in the event of a failure. The frequency can be determined by assessing just how much data loss you can tolerate and how volatile your data is. If you cannot tolerate any data loss you should look at implementing real time replication of data to a backup area.
- Test your data recovery procedure regularly to ensure your backups are valid.
In respect of Security you will be aware that SmartOS and Linux VM's are protected by SSL security by default. However all ports are open. Windows is protected by passwords generated when the machine is created. As a minimum you should take the following steps to ensure security but this is only advisory information. Even with these steps carried out you should undertake your own analysis to ensure your machines are as secure as you require them.
- Change all passwords that have been generated for any accounts/logins on your machines. The passwords generated by the provisioning system are intended for first time use only.
- Review open access ports and block or restrict access to ports as necessary.
- Regularly perform a security audit to validate who is logging into the machines and from where.
Backup and Security can be complex topics so we have deliberately only scratched the surface in this article in order to raise awareness and to ensure you are thinking about the processes and procedures you need to have in place.
You will find some useful advice and guidance on these topics on our Wiki at http://wiki.joyent.com/wiki/display/jpc2/Securing+your+Infrastructure.
If you have any questions regarding these topics please don't hesitate to reach out via help.joyent.com or email@example.com.