By now you should have heard about the heartbleed bug. This is a serious vulnerablility in the popular OpenSSL cryptographic software library. In case you think “but I don’t use this open stuff” you’re wrong. You might not, but vendors might be.
With the heartbleed vulnerability everything that uses encryption, and where the vendor is using the OpenSLL cryptographic software library might be vulnerable. This can be email, load balancers, VPN solutions, IM solutions etc. Operating System distributions that are primarily in the Open Source (Linux) area seem to be vulnerable. My Windows servers are not directly affected by this, but my Load Balancers are running on some Linux build.
For more details about the heartbleed vulnerability, including a list of Operating Systems directly affected you can check the http://heartbleed.com site. To check if your solution is available for this vulnerability you can use the following site: http://possible.lv/tools/hb
Enter the URL of your site and you will see something like this:
Kemp Load Master
This is my Exchange 2013 environment running behind a Kemp LM2600 which indeed is vulnerable for this issue. Kemp has a fix available for most of their load balancers which can be downloaded from the Kemp forums on http://forums.kemptechnologies.com/index.php?p=/discussion/20730/heartbleed-vulnerability-patch-available
After downloading the patch open the Kemp LoadMaster UI and navigate to System Configuration | System Administration | Update Software. Use the Browse button to select the update you just downloaded and click Update Machine.
The patch will be validated and when correct you can install the patch. Once installed the LoadMaster needs to be rebooted. Normally the recommendation is not to do this during business hours, but looking at the importance of the patch I decided to reboot anyway and not wait until off-hours. But that’s highly dependent of your organization of course.
My F5 LTM is version Big-IP 11.4.1 Build 608.0 Final. To check if this is vulnerable you can use the http://possible.lv/tools/hb URL. You can also logon to the console and use the openssl version command to check the version of OpenSSL:
According to the http://heartbleed.com site the OpenSLL 0.9.8 branch is NOT vulnerable so I’m fine here.