• Article for your preferred language does not exist. Below is international version of the article.

Article ID: 120984, created on Apr 9, 2014, last review on Aug 25, 2014

  • Applies to:
  • Business Automation 5.5


The OpenSSL group has issued a vulnerability alert on April 7, 2014. You can find more information about CVE-2014-0160 at the Open SSL website and at http://heartbleed.com/.

Parallels Automation systems may be affected by this vulnerability. Here is the list of the potentially vulnerable components of Parallels Automation:

  • PBA 5.4 servers deployed on RHEL/CentOS 6
  • All PBA 5.5 Linux servers
  • POA servers deployed on RHEL/CentOS/CloudLinux 6

This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.4, fixed in OpenSSL 1.0.1e-16.el6_5.7)

The package version for Redhat/CentOS can be checked using the command:

~# rpm -q openssl

OpenSSL 0.97a and 0.98e (in RedHat/CentOS 5) are not vulnerable. According to RHSA-2014-0376, only Redhat 6.5 has a vulnerable version of OpenSSL.


To secure your Parallels Automation installation:

  1. Update OpenSSL on Online Store, PBA Application, and PBA Database servers that deployed on RHEL/CentOS 6
  2. Update OpenSSL on all POA servers that deployed on RHEL/CentOS 6
  3. Restart POA UI and POA back-end services if Branding node was updated
  4. Manage certificate revocation/reissue/replacement process for Store and Branded domains

To update RHEL 6 servers refer to instructions from the Red Hat advisory: https://rhn.redhat.com/errata/RHSA-2014-0376.html.

To update CentOS 6 servers use the instructions from the vendor blog: http://www.centosblog.com/critical-openssl-vulnerability-heartbleed-openssl-1-0-1-1-0-1f-patch-bug-centos-system.

To update physical or virtual servers running on Parallels virtualization products please use the instructions provided in http://kb.parallels.com/en/120989.

Invoke the following command on POA UI and MN nodes in order to restart POA UI:

~# service pemui restart

Invoke the following command on POA MN node in order to restart POA backend services:

~# service pem restart

Invoke the following command on PBA-E application server in order to restart PBA backend services:

~# service pba restart

Invoke the following command on PBA-E online store server in order to restart PBA backend services:

~# service httpd restart

Password Changes

It is highly recommended to change passwords for administrative staff after update is finished.

SSL Certificate Revocations

We encourage all Parallels Automation customers to revoke and reissue SSL certificates for at least the Online Store and all Branded domains. The procedure of revocation and reinstallation of SSL certificates is out of the scope of this document.

Additional Checks

After updating, please additionally check all public HTTPS endpoints of Parallels Automation using SSLLabs service: https://www.ssllabs.com/ssltest/.

The output of the test should include a row similar to this: This server is not vulnerable to the Heartbleed attack. (Experimental)

See also

  • KB #121016 - summary article for all Parallels products

801221f8cd76fba7300d1e6817c8e08b caea8340e2d186a540518d08602aa065 198398b282069eaf2d94a6af87dcb3ff 92711db0799e8aefe8e51f12dace0496 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF