Heartbleed (CVE-2014-0160) on Acquia Cloud

On April 7, 2014, a security vulnerability with servers running the OpenSSL cryptographic library was revealed at http://heartbleed.com. The security advisory for this vulnerability is CVE-2014-0160. Acquia has completed maintenance on all servers and infrastructure to close this vulnerability and ensure that Acquia Cloud customer sites are protected.

For more information on Acquia's response to Heartbleed, please see the blog post Protecting Enterprise Drupal Users Against Heartbleed.

Actions to take

At this time Acquia is recommending that customers should complete the following actions:

  1. Rekey your SSL certificates. Customers should read the first FAQ question in the next section to determine the action they need to take for their sites and begin the process to retrieve their rekeyed certificate from their Certificate Signing Authority (CSA), if necessary.
  2. Reset your Drupal passwords, especially site administrative password(s) and the passwords of any users with elevated permissions. See the following document for further information: How do I reset my admin password in Drupal 7?.
  3. Audit all SSH keys. See Adding a public key to your server for information on viewing your keys.
  4. Reset all Acquia passwords.

FAQ

Here are the answers to some common questions:

How can I tell if I am affected?

  • If you are not using SSL on your website, you are not affected by this security vulnerability, and you can ignore this article.
  • If you are using SSL on your website, you are affected and you should rekey your SSL certificate as described in the section How do I rekey my SSL certificate. If you are an Acquia Cloud customer, keep reading to determine the correct option for your site. If your certificate domain is hosted on Akamai or DosArrest, work with your vendor.
  • If you are using SSL and you are using an Acquia-managed shared certificate, Acquia has already taken the steps to correct this issue and you don't need to do anything.
  • If you are using SSL and you are using an Acquia-managed certificate on dedicated load balancers that Acquia purchased on your behalf, Acquia has taken steps to correct this issue. You don't need to do anything.
  • If you are using SSL with a certificate that you provided, but was installed by Acquia on dedicated load balancers, no further action is required.
  • If you are an Acquia Cloud customer using a Self-service SSL certificate and you generated your CSR (certificate signing request) through the Acquia UI, see the instructions for generating a new CSR on the page Adding HTTPS (SSL) support to your website.
  • If you are using a Self-Service SSL certificate and you provided your own CSR, you won't see the Generate a new CSR option. Follow the instructions below to rekey your certificate.

If I am affected, do I need to change my passwords?

Yes, you should change your passwords.

If Acquia has updated its infrastructure to protect against this vulnerability, why do I need to rekey my SSL certificates?

Rekeying the SSL certificates ensures that your private keys are secure. There is no way to know if an attacker exploited this vulnerability to view your private keys. As a precaution, you should rekey your SSL certificate and work with your CSA to generate a new cert.

What does rekeying an SSL certificate accomplish?

Rekeying an SSL certificate is the process of generating a new private key for an existing SSL certificate. It involves generating a new CSR. This is submitted to your CSA to generate a new SSL certificate, which can then be installed.

How do I rekey my SSL certificate?

Follow this process:

  1. Generate a new CSR using one of these methods:
    • Use your local shell. For example:

      openssl req -nodes -sha256 -newkey rsa:2048 -keyout <sitename>.key -out <sitename>.csr

    • If you are a Self-Service SSL user that generated your CSR through the Acquia UI, use the Generate a new CSR option on your Cloud > SSL page.
    • Use the Help Center instructions for Adding SSL support to your site.
  2. Log in to your CSA, manage your existing SSL certificate, upload your new CSR files, and rekey the certificate.
  3. After receiving the new certificate, either use the Acquia UI Cloud > SSL page, or upload the new certificate to /mnt/gfs/[sitename]/ssl and install the new certificate. For more information on how to apply SSL certificates with Acquia Cloud, see SSL and Acquia Cloud.

Why is it important that I take action?

The Heartbleed vulnerability enables an attacker to view memory on machines using susceptible versions of OpenSSL without leaving any trace. An attacker may have been able to view sensitive information on a machine including potentially accessing your SSL certificate’s private key.

Although this vulnerability wasn't made public until April 7, 2014 through the CVE-2014-0160 advisory, the flaw in OpenSSL has existed since 2012. Attackers may have used it to view your SSL certificate’s private key. The only way to fully ensure that your keys are secure is to rekey your certificates.

I use an Amazon Elastic Load Balancer (ELB). Am I affected?

Yes, Amazon has confirmed that Elastic Load Balancers were affected. Amazon has resolved this vulnerability. All customers who use ELBs for their SSL certificates, including those on our Self-Service SSL feature, will need to rekey their SSL certificates.

My websites run on other hosting. How can I tell if my websites are vulnerable?

Review all the details at http://heartbleed.com to help you determine if you are vulnerable. You can also use online tools, such as Qualys.com's SSL server test or http://filippo.io/Heartbleed, which may help you test your website for the vulnerability.

How do I revoke my previous SSL certificates?

The Heartbleed exploit potentially allowed attackers to obtain sensitive information about your SSL certificate. After you install a new certificate, you should also revoke the old certificate to prevent an attacker’s website from masquerading as your own.

Each CSA has different procedures to perform a certificate revocation. Follow the instructions your CSA provides. Some of the most common CSAs and their procedures are as follows:

If you have additional questions, create an Acquia support ticket at https://insight.acquia.com/support.