Frequently Asked Questions and Responses related to ESA-2014-030: EMC Syncplicity Security Update for OpenSSL
What is the issue?
The OpenSSL project has recently announced security vulnerability in OpenSSL which may impact Syncplicity customers. For more details refer to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 .
What components of Syncplicity are affected?
The issue impacts the Syncplicity orchestration service, Syncplicity cloud storage service, and on-premise compute servers.
Was Syncplicity compromised due to this vulnerability?
At this time we have no evidence or reason to believe any Syncplicity servers were affected.
When is this issue going to be fixed?
EMC has applied remedies to eliminate the vulnerability from EMC servers.
What steps were taken to remediate the vulnerability?
Syncplicity patched the load balancers used for our Orchestration Service and Amazon patched the load balancers used for our Cloud Storage Service as soon as the patch became available from OpenSSL.
What steps do customers need to take to remediate the vulnerability?
There is no action needed by Syncplicity Personal Edition, Business Edition, and Enterprise Edition cloud storage customers to remediate this vulnerability. Enterprise Edition on-premise storage account administrators must patch their on-premise compute servers. We recommend the following steps:
- If you leverage SSL-offloading load balancers (a recommended Syncplicity Best Practice) should contact their load balancer vendor for guidance on applying necessary patches if they have not notified you already (e.g., http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html, or http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed).
- If you expose your compute servers directly to the Internet or leverage non-SSL offloading load balancers you are advised to SSH into each node and issue the "sudo yum update" command to install the patched version of OpenSSL. Please reboot the compute servers after installing the patch. As a best practice, you are also advised to rotate your X.509 SSL certificates.
What additional measures is Syncplicity recommending to reduce the risk associated with this vulnerability?
While we have no evidence or reason to believe any Syncplicity servers were affected, as an extra precautionary measure, non-SSO customers may choose to change their account passwords. Please review this article for steps to reset the password: http://manual.syncplicity.com/w/page/36736902/How-do-I-change-or-reset-my-password