Parallels Automation systems may be affected by this vulnerability. Here is the list of the potentially vulnerable components of Parallels Automation:
- PBA 5.4 servers deployed on RHEL/CentOS 6
- All PBA 5.5 Linux servers
- POA servers deployed on RHEL/CentOS/CloudLinux 6
This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.4, fixed in OpenSSL 1.0.1e-16.el6_5.7)
The package version for Redhat/CentOS can be checked using the command:
~# rpm -q openssl
OpenSSL 0.97a and 0.98e (in RedHat/CentOS 5) are not vulnerable. According to RHSA-2014-0376, only Redhat 6.5 has a vulnerable version of OpenSSL.
To secure your Parallels Automation installation:
- Update OpenSSL on Online Store, PBA Application, and PBA Database servers that deployed on RHEL/CentOS 6
- Update OpenSSL on all POA servers that deployed on RHEL/CentOS 6
- Restart POA UI and POA back-end services if Branding node was updated
- Manage certificate revocation/reissue/replacement process for Store and Branded domains
To update RHEL 6 servers refer to instructions from the Red Hat advisory: https://rhn.redhat.com/errata/RHSA-2014-0376.html.
To update CentOS 6 servers use the instructions from the vendor blog: http://www.centosblog.com/critical-openssl-vulnerability-heartbleed-openssl-1-0-1-1-0-1f-patch-bug-centos-system.
To update physical or virtual servers running on Parallels virtualization products please use the instructions provided in http://kb.parallels.com/en/120989.
Invoke the following command on POA UI and MN nodes in order to restart POA UI:
~# service pemui restart
Invoke the following command on POA MN node in order to restart POA backend services:
~# service pem restart
Invoke the following command on PBA-E application server in order to restart PBA backend services:
~# service pba restart
Invoke the following command on PBA-E online store server in order to restart PBA backend services:
~# service httpd restart
It is highly recommended to change passwords for administrative staff after update is finished.
SSL Certificate Revocations
We encourage all Parallels Automation customers to revoke and reissue SSL certificates for at least the Online Store and all Branded domains. The procedure of revocation and reinstallation of SSL certificates is out of the scope of this document.
After updating, please additionally check all public HTTPS endpoints of Parallels Automation using SSLLabs service: https://www.ssllabs.com/ssltest/.
The output of the test should include a row similar to this: This server is not vulnerable to the Heartbleed attack. (Experimental)
- KB #121016 - summary article for all Parallels products