Heartbleed Vulnerability Update: Perforce Patched Releases Now Available
On 7 April, 2014, we learned about a vulnerability (CVE-2014-0160, aka Heartbleed) in OpenSSL, an open-source implementation of the Secure Sockets Layer (SSL) protocol. We have not found any indication that any Perforce server has been exploited using the Heartbleed vulnerability. However, because we take the security of our customers’ data very seriously, this is to let you know what we have done about this issue and what steps you should take.
If you have enabled SSL on your Perforce products, a third party could conceivably steal sensitive data from your server such as your SSL private key, password hashes, etc.
The affected server products are the server (P4D), broker (P4Broker), and proxy (P4P) configured for SSL on all OS platforms in releases 2012.2, 2013.1, 2013.2, 2013.3, and 2014.1. Also affected are the Apache servers configured for HTTPS in the OVA distributions of Git Fusion and Swarm. Perforce clients are also affected.
Additionally, if you are running Git Fusion, Swarm or Insights with your own web servers, you might be impacted if the underlying web server is vulnerable. (Please check with your web server vendor).
Updates Now Available
We recommend that our customers who are on maintenance install the latest patch releases as soon as possible. Patched versions of all affected server releases are now available from the Perforce website. To get patched binaries for older (pre-2014.1) releases, please select the appropriate version number from the down drop-down menu. You can also receive these patched binaries from our FTP site.
Optionally for the OVAs, simply running apt-get update and apt-get upgrade will fix the vulnerability.
We are presently working on patched versions of our clients, (UPDATE: patched clients now available).
If you are not currently on maintenance, please contact a Perforce account representative.
What To Do Once You Have Installed the Patched Versions
Once you’ve installed the patched releases we also recommend taking the following steps to secure your communications and data in the event the vulnerability was exploited on your server.
Revoke and reissue your SSL certificate.
This will require your users and automated systems to accept the new certificate:
- Move aside or delete your old certificate.txt and privatekey.txt
- Generate a new certificate by running: p4d -Gc
- Make note of the new fingerprint (and accept it) by running: p4 trust -f
- You will then need to email your users the new fingerprint and instruct them to trust it.
Additionally, automated systems will need to be manually forced to trust the new fingerprint.
For Swarm this is accomplished by deleting the file <swarm-root>/data/p4trust
- Have all of your users set new passwords. To force your users to reset their passwords, you could use the instructions in this knowledge base article, "Forcing password reset".
If you have other questions or concerns please feel free to contact firstname.lastname@example.org.