I can't find information on what versions they're using. I'd expect AWS to make a statement about this, because it's a pretty big deal, but again, can't find anything.
To answer my own question, YES it is vulnerable. Use this site to test:
Asked
Active
Viewed 1.4k times
8
-
1This question appears to be off-topic because it is about software versions, administration and patching. Server Fault has quite a few questions on the topic: https://serverfault.com/questions/tagged/heartbleed. – jww Apr 09 '14 at 11:16
1 Answers
7
Your question sounds very similar to this thread on AWS Forums:
https://forums.aws.amazon.com/thread.jspa?messageID=535235&tstart=0
If you have not checked that before, in short; Yes AWS ELBs are affected by heartbleed and Amazon released this statement mentioning they are working on it:
http://aws.amazon.com/security/security-bulletins/heartbleed-bug-concern/
They have not provided a timeline yet.
For Amazon Linux images, patch is available through yum repositories. (Updated package: openssl-1.0.1e-37.66.amzn1)
user3512472
- 71
- 2
-
`openssl-1.0.1e-37.66.amzn1` - 1.0.1e is downlevel. 1.0.1g remediates the issue. Are they backpatching so that its impossible to track versions? – jww Apr 08 '14 at 19:24
-
1@jww I believe they do not maintain 1.0.1g as a separate branch. 1.0.1e-37.66 backports fix for heartbleed. – user3512472 Apr 08 '14 at 19:38
-
you can check their status here: http://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/ – Pedro Salgado Apr 08 '14 at 21:01