Patched: OpenSSL Heartbleed Vulnerability CVE-2014-0160

VN:F [1.9.10_1130]
Rating: 0.0/5 (0 votes cast)

heartbleedThis morning we deployed an update to the OpenSSL software packages on our shared and customer servers to address a critical vulnerability. The vulnerability, dubbed “heartbleed”, is the result of improper data validation (bounds check) within a “heartbeat” feature of the OpenSSL TLS implementation.

Because of this vulnerability, it is possible that a portion of active memory can be disclosed to connecting clients, which can leak sensitive information. Ultimately, this may lead to the disclosure of transaction or customer-identifiable information, which undermines the very purpose of SSL implementations for our customers and the Internet community at large.

Although we make every effort to schedule updates and maintenance, the critical nature of this vulnerability prompted immediate action. We’re working hard to protect our customers and want to thank you for your understanding.

What is the status of my SSL certificates?
Our position is that regenerating/reissuing SSL certificates is not explicitly required and doing so would be out of an abundance of caution. Although the heartbleed vulnerability had the very real possibility to disclose the server-side private key for an SSL certificate, the ability to capture an entire SSL private key required more than just a passing interest in a specific web site. An attacker would need to conduct a targeted effort to dump thousands of memory captures using the vulnerability and piece together an SSL private certificate, a non-trivial task.

Further, we have no indications at this time of any large scale attempts to compromise SSL private keys on our customer web sites, servers or network at large. We will continue to monitor our servers and networks with vigilance and if at any time we have indications that this position needs to change, we will update our customers accordingly.

If you have any questions or concerns regarding this or other issues, please get in touch and we’ll get back to you as soon as possible.

Vulnerability Scope:
For customers that are currently running cPanel/WHM, the OpenSSL update will apply within the next 24h through daily automatic updates. To verify that the update has applied or to proactively apply it, please find details below. It is important to note, that once the OpenSSL update has been applied, Apache and/or Nginx must be restarted to ensure that the vulnerability is properly closed.

Check the current OpenSSL Version:
# rpm -q openssl
openssl-1.0.1e-16.el6_5.7.x86_64

The patched version of OpenSSL for CentOS 6 is openssl-1.0.1e-16.el6_5.7.x86_64.
The version of OpenSSL provided in CentOS 5.10 (openssl-0.9.8e-27.el5_10.1) is NOT vulnerable.
The version of OpenSSL provided in CentOS 6.5 (openssl-1.0.1e-16.el6_5.4) WAS vulnerable.

If you find that you are running any version other than ‘openssl-0.9.8e-27.el5_10.1′ or ‘openssl-1.0.1e-16.el6_5.7.x86_64′ then you should immediately update the OpenSSL packages:
# yum update -y openssl 
# /etc/init.d/httpd stop
# /etc/init.d/httpd start

Although we have made every effort to access and update customer systems, this may not always be possible in cases where customers may have restricted access to systems and/or are using operating systems other than RHEL/CentOS. As such, we encourage all Cloud VPS, Hybrid and Dedicated customers to verify that this vulnerability is patched with an updated OpenSSL package.

Additional update information:

Debian Wheezy, Jessie, Sid
https://www.debian.org/security/2014/dsa-2896
# apt-get upgrade openssl

Ubuntu 12.04, 12.10, 13.10
http://www.ubuntu.com/usn/usn-2165-1/
# apt-get upgrade openssl

RHEL/CentOS 6.5
https://rhn.redhat.com/errata/RHSA-2014-0376.html
http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
# yum update openssl

CentOS 5.10, OpenSSL 0.9.8 is NOT vulnerable

Vulnerability Details:
http://heartbleed.com/
https://www.openssl.org/news/secadv_20140407.txt
https://access.redhat.com/security/cve/CVE-2014-0160

Proof of Concept Test:
http://filippo.io/Heartbleed/

VN:F [1.9.10_1130]
Rating: 0.0/5 (0 votes cast)

Important Changes To ICANN’s Registrar Accreditation Agreement

VN:F [1.9.10_1130]
Rating: 3.7/5 (3 votes cast)

403278_10150596072089559_40416156_n

Attention SEOHosting Customers:

Please read this important announcement carefully!  The following post details new regulations and procedures for ICANN’s Registrar Accreditation Agreement:

VALIDATING REGISTRANT E-MAIL ADDRESSES

Starting in January, the registrant contact will need to be validated upon the purchase or transfer of a domain name or if the registrant’s first name or last name has been modified.

Should any of these occur, OpenSRS , our registrar, will send an email requiring an affirmative response from the registrant. Failing to receive an affirmative response from the registrant within 15 days will result in the suspension of the name. This means that the domain (and any related services) will be offline.

If a registrant has already validated their contact information, this process will not be initiated.

The same validation process will take place if a WHOIS Data Reminder Policy (WDRP) notice, 30 day expiration notice or 5 day expiration notice bounces. It is extremely important to ensure the WHOIS data that you provide for your domain is correct.

ICANN WEBSITE REQUIREMENTS

ICANN now requires that we  list the following new pieces of information on your website:

• ICANN’s Registrant’s Benefits and Responsibilities

• ICANN’s site for registrant education

We hope that these changes in ICANN policy will have little effect on the ease in which you are able to order domain registrations or transfers. Please contact our billing department with any questions or concerns.

403278_10150596072089559_40416156_n

VN:F [1.9.10_1130]
Rating: 3.7/5 (3 votes cast)

Dallas Network Maintenance Dec 16th 21:00 – 21:30 EST

VN:F [1.9.10_1130]
Rating: 0.0/5 (0 votes cast)

On Monday, Dec 16th 21:00 – 21:30 EST we will be continuing maintenance on our network equipment at Dallas facility. This will include switching from our copper links to much faster and more stable fiber based links. The end result will be better scalable bandwidth and much better DDoS attack resilience.

These operations are expected to be fully transparent and they shouldn’t cause any noticeable downtime. If you notice any connections issues after this maintenance is done, please contact our Support department.

VN:F [1.9.10_1130]
Rating: 0.0/5 (0 votes cast)

Dallas Network Maintenance Dec 13th 21:00 – 21:30 EST

VN:F [1.9.10_1130]
Rating: 0.0/5 (0 votes cast)

On Friday, Dec 13th 21:00 – 21:30 EST we will be conducting maintenance on our network equipment at Dallas facility. This will include switching from our copper links to much faster and more stable fiber based links. The end result will be better scalable bandwidth and much better DDoS attack resilience.

These operations are expected to be fully transparent and they shouldn’t cause any noticeable downtime. If you notice any connections issues after this maintenance is done, please contact our Support department.

VN:F [1.9.10_1130]
Rating: 0.0/5 (0 votes cast)

Shared Server Scheduled Maintenance

VN:F [1.9.10_1130]
Rating: 5.0/5 (2 votes cast)

Over the next few weeks, we will be conducting scheduled maintenance on all of our shared servers. There are a number of updates occurring, including:

  • cPanel updated from 11.34 to 11.38
  • New Apache 2.2.25, Percona MySQL 5.5.33, and PHP 5.3.27 as default installations
  • PHP 5.2.17 and 5.4.19 alternate installs made available to customers.
  • Improved Mod_Security rule sets
  • Improved monitoring and load management capabilities
  • Addition a Nginx Acceleration stack that will be available to customers
  • Improved default MySQL and PHP configurations
  • Replacement of Fantastico Deluxe with Softaculous Auto Installer

For PHP, all existing users will default to 5.2.17 and all new users will default to 5.3.27. We encourage customers to use the latest PHP version available to help ensure optimal website performance and security. If you run a current version of WordPress, we recommend using PHP version 5.4. Customers that have enabled PHP version 5.4 have seen up to a 20% increase in performance.

To use the respective PHP versions, please edit your htaccess entries to include one of these lines:

For version 5.4: AddType application/x-httpd-php54 .php
For version 5.2: AddType application/x-httpd-php52 .php
For PHP 5.3, simply comment out any AddType PHP definition (if any).

Our plan is to begin the maintenance on a small group of servers starting this evening and then upgrade approximately 5 servers per day until the upgrades are completed on all servers. Most upgrades will start at approximately 8 pm Eastern time. Expected downtime is approximately 20-30 minutes for web services, followed by an additional 10 minutes of cPanel inaccessibility. We expect fairly minimal disruption to customers and sites after the changes are complete.

We have already rolled out these upgrades to some servers over the past month or two and have seen great results. We believe these changes will lead to much more stable and much better performing servers, and subsequently a better experience for all of our customers.

If you have any questions, please do not hesitate to contact our support team. They will be happy to take a look at our schedule of upgrades and let you know when your accounts will be affected.

VN:F [1.9.10_1130]
Rating: 5.0/5 (2 votes cast)