Is AWS, specifically the load balancer service affected by SSL "Heart Bleed" exploit?

security ssl amazon-web-services openssl heartbleed-bug
Abram picture Abram · Apr 8, 2014 · Viewed 13.8k times · Source

I can't find information on what versions they're using. I'd expect AWS to make a statement about this, because it's a pretty big deal, but again, can't find anything.

To answer my own question, YES it is vulnerable. Use this site to test:

http://filippo.io/Heartbleed/

Answer

user3512472 picture user3512472 · Apr 8, 2014

Your question sounds very similar to this thread on AWS Forums:

https://forums.aws.amazon.com/thread.jspa?messageID=535235&tstart=0

If you have not checked that before, in short; Yes AWS ELBs are affected by heartbleed and Amazon released this statement mentioning they are working on it:

http://aws.amazon.com/security/security-bulletins/heartbleed-bug-concern/

They have not provided a timeline yet.

For Amazon Linux images, patch is available through yum repositories. (Updated package: openssl-1.0.1e-37.66.amzn1)

Related questions

Default SecurityProtocol in .NET 4.5

What is the default security protocol for communicating with servers that support up to TLS 1.2? Will .NET by default, choose the highest security protocol supported on the server side or do I have to explicitly add this line of code: …

Read More
SSL Error: unable to get local issuer certificate

I'm having trouble configuring SSL on a Debian 6.0 32bit server. I'm relatively new with SSL so please bear with me. I'm including as much information as I can. Note: The true domain name has been changed to protect the identity …

Read More
Keystore type: which one to use?

By looking at the file java.security of my JRE, I see that the keystore type to use by default is set to JKS. Here, there is a list of the keystore types that can be used. Is there a …

Read More