Heartbleed, API Services, and What You Should Do
By now, you’ve surely heard about the Heartbleed vulnerability (CVE-2014-0160) in the implementation of OpenSSL 1.0.1 through 1.0.1f (inclusive). Although recently discovered, Heartbleed has been present in OpenSSL since December 2011. It allows the stealing of information that would be protected, under normal conditions, by the SSL/TLS encryption used to secure the communications between devices connected to the internet.
Many blogs and websites have discussed the technical details of the vulnerability, so we won’t go into the minutiae here. However, we will describe the implications of the bug to your API services, the actions taken by Apigee to mitigate Heartbleed threats, and what you should do about it.
Members of the Apigee security team and the Apigee infrastructure team have reviewed Apigee’s potential exposure to the vulnerability and have compiled the information for ensuring safe and secure API services. As of now, we have no indication that Apigee services were attacked using this vulnerability. That said, the nature of the vulnerability makes an attack difficult to detect and we prefer to be cautious.
The Heartbleed bug (CVE-2014-0160), is exploited during an SSL-encrypted connection (e.g. HTTPS). A connected computer could have accessed to up to 64K of unencrypted information, and that may have included private information, such as private keys and passwords.
Were Apigee’s product and services impacted by the Heartbleed bug?
Apigee Edge was not impacted because it doesn’t employ OpenSSL for SSL/TLS services. However, Apigee Edge services in the cloud were impacted given our reliance on AWS (Amazon Web Services) Elastic Load Balancer. Since the ELBs are using OpenSSL, we were susceptible to the Heartbleed vulnerability.
We responded quickly and kept Apigee customers apprised of the situation throughout the incident (via email as well as updates to status.apigee.com).
What has Apigee done in response?
On April 8, all ELB instances were quickly patched, which means we’re not vulnerable anymore. Apigee’s private keys installed on ELBs and used by our public SSL/TLS services may have been exposed. Hence, we’ve revoked the exposed private keys and replaced them with new keys and certificates.
Furthermore, because Apigee already isolates SSL/TLS termination from application servers, the scope of information disclosure is limited to SSL keys and data proxied before an attack.
What should an Apigee user do?
While we’ve seen no evidence of this bug being exploited on the platform, a Heartbleed attack does not usually leave tell-tale signs of compromise. In the interest of security, you should consider the following:
If you are an Edge customer hosting API endpoints on Apigee Edge, you should have received communications with instructions from Apigee support to replace your SSL/TLS key with a new one. This will protect you from malicious attackers who may have retrieved the private key from a vulnerable server. Apigee Edge customers can get in touch with Apigee using their support portal in this regard.
If you are a registered developer using Apigee Developer (the free service) or a paying customer using Apigee Edge, it is recommended that you change your passwords for user accounts (for example, change your password to the Apigee management portal).
All customers are advised to inform developers within your organization to rotate the application credentials and keys such that old keys are eventually phased out. You can perform these functions by using the management API or via the Apigee management portal.
I am running the Apigee Developer Services Portal. Am I impacted?
Our hosting providers for the Apigee Developer Services portal have confirmed that they have applied the proper patch which means we are no longer vulnerable. We do recommend customers revoke current SSL certificates, issue a new key, and replace them with new certificates and keys.
I am running Apigee Edge on-premises. Am I impacted?
Apigee Edge is not vulnerable to Heartbleed attack. Edge service components do not use OpenSSL for any SSL/TLS connectivity. However, if you have deployed Developer Services in your environment, you will have to verify that your OpenSSL library is updated with the safe version.
As reported by the recent OpenSSL advisory, the following versions are safe:
OpenSSL 1.0.1g is NOT vulnerable to CVE-2014-0160
OpenSSL 1.0.0 branch is NOT vulnerable to CVE-2014-0160
OpenSSL 0.9.8 branch is NOT vulnerable to CVE-2014-0160
OpenSSL 0.9.7 branch is NOT vulnerable to CVE-2014-0160
However, OpenSSL 1.0.1 through 1.0.1f (inclusive), is vulnerable to CVE-2014-0160.
Apigee takes its customers’ security very seriously, and we’re committed to making our API platform invulnerable to threats like Heartbleed.