Security Announcement: Scalr Discontinues Support for SSLv3

by Thomas Orozco on Oct 15, 2014 1:44:24 PM

On October 14th, a team of security researchers from Google announced a new attack on SSLv3: POODLE (CVE­ 2014-­3566), which compromises the secrecy of communications secured using SSLv3, one of the technologies that enable clients and servers to establish an encrypted connection over the internet (e.g. an HTTPS session).

What you need to know

Due to numerous faults in the specification, SSLv3 has been deprecated for a while, but it remained in use across the internet for compatibility with very old clients. Note that this does not mean clients are actively using SSLv3 to talk to e.g. Scalr (TLS, SSL’s successor is used in overwhelming majority of connections). All it means is that SSLv3 is available if they choose to (which they seldom do).

However, in order to ensure the security of our customers, POODLE marks the end of the road for SSLv3 at Scalr, as we are disabling support for it across our servers. This means that clients will now be required to use TLS to talk to Scalr.

What you need to do

As a user, it is unlikely that you’ll be affected. Your clients will continue using TLS to talk to Scalr like they did before we removed support for SSLv3 (like it should). If you do get in trouble, you’ll need to update your clients to something more recent  (for example, TLS has been available in OpenSSL for upwards of 15 years).

Note that if you are using Scalr to deploy HTTPS web servers, you will likely want to make the same change to preserve the security of your users.
Read More

Topics: Announcements, Technical, Security, Google

Application Cloud Readiness Checklist

by Thomas Orozco on Sep 30, 2014 8:00:00 AM

“Is this app ready to be deployed to cloud?”

If your organization is planning a migration to cloud (and today, who isn’t?), this is a question you’re going to ask a lot. But how do you tell? Look no further: here’s a checklist of what you’ll need to validate before you can label an app “cloud-ready!"

 

1. Is the deployment of your app automated?

Read More

Topics: DNS, Tips, Cloud Native, DevOps, Lifecycle Management

Upgrade Bash and Address CVE-2014-6271 ("Shellshock") now with Scalr

by Thomas Orozco on Sep 24, 2014 4:58:00 PM

Earlier today, it was discovered that bash (the “Bourne-again shell”) was susceptible to remote code execution.

The vulnerability (CVE-2014-6271) is triggered when bash is called with specially-crafted environment variable values (which, unlike environment variable names, aren’t usually validated!).

To check whether a given system is affected, you can run the following command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test" 

Just How Bad Is This?

Very bad. Passing user-provided information through environment variables is in fact pretty common (it’s done in CGI scripts with HTTP_* variables for user-provided headers, in SSHD with SSH_ORIGINAL_COMMAND, etc.).

What’s more, on RHEL, bash is the default shell, which means that all your calls to system (e.g. any Python that uses os.system, etc.) go through bash (and are therefore vulnerable). So even if you are not directly using bash, you might still be (indirectly) vulnerable.

If you are using Debian or Ubuntu, your attack surface is slightly more limited, because the default shell is dash, not bash. That is not to say this is a minor vulnerability, though — you should nonetheless upgrade immediately.

Upgrade Bash Now

To upgrade your systems, you can use the following script (use One-Off Script Execution). It’ll detect the package manager you’re using, update bash, and run a test (it’ll exit with 0 if the update was successful, 1 if you’re still vulnerable).

Check your Scripting Logs to ensure that the vulnerability is gone.

 

Ensure the vulnerability doesn’t come back to haunt you!

You can use Global Orchestration (a new Scalr 5.0 feature) to ensure that the aforementioned script runs on all your instances (preferably upon HostInit), so that bash is updated at startup on all your systems.

Update: Bash still vulnerable

The fix released by the bash maintainer earlier today did not entirely address the issue, and you should need run another update (consider updating the is_vulnerable function with the code linked here, which will let you know whether you are still vulnerable).

Does This Vulnerability Affect Scalr?

This vulnerability doesn’t affect Scalr directly, but it does affect the servers you are managing through Scalr.

 
Read More

Topics: Technical, Security, Tips

AWS Massively Rebooting Instances - What you need to know

by Thomas Orozco on Sep 24, 2014 12:53:00 AM

Earlier today, AWS announced that it would begin rebooting instances across its EC2 service over the coming days, likely in order to patch its underlying (Xen) hypervisors. This maintenance event is happening on very short notice; here’s what you need to know as an AWS (and Scalr) customer.

What You Need To Know

With earlier AWS maintenance events, it was possible to stop and restart an instance in order to have it migrate to a patched host (and avoid an uncontrolled reboot). This time, however, AWS is not guaranteeing that restarting an instance will have that effect.

Here’s why. AWS hosts can be split into two groups: hosts that have already been patched or don’t need the patch (let’s call these “good” hosts), and hosts that need the patch (let’s call these “bad hosts”).

If one of your instances is on a “bad host”, you’ll want to move it to a “good host” by stopping it and restarting it. Unfortunately, so does every other AWS customer. When the “good host” capacity runs out (and it may already have), instances you restart will land on “bad hosts” again, and will still have to go through a reboot.

Are Your Instances Affected?

You can view which (if any) of your instances are affected by logging in to the EC2 Console and opening the “Events” Tab. Be mindful that this may not be updated in real-time (though AWS is reportedly working on this).

Read More

Topics: Technical, AWS, Tips, Amazon

Deciphering VMware's OpenStack Play

by Thomas Orozco on Sep 23, 2014 8:00:00 AM

A couple weeks ago at VMworld, VMware announced that it was introducing “VMware OpenStack”, an integrated OpenStack release that is specifically designed (or configured?) to be deployed on a VMware virtualization layer (note: if you’re unfamiliar with what a “resource layer” is in this context, we encourage you to review this paper).

Is This New Software?

Not really. VMware OpenStack is essentially a repackaging of existing functionality and software. Indeed, OpenStack support for VMware virtualization is not new:

  • For compute virtualization, OpenStack Nova already supports VMware vSphere

  • For network virtualization, OpenStack Neutron already supports VMware NSX

  • For storage virtualization, OpenStack Cinder and Glance already support VMware VSAN and vSphere storage

So, in other words, OpenStack already had support for VMware virtualization software (and all of that is open-source), and therefore VMware OpenStack is not actually much more than an OpenStack distribution that is pre-configured to integrate with VMware virtualization software.

Then What is VMware’s Value Add?

The central value proposition of VMware OpenStack is to easily deploy OpenStack on an existing VMware “Software Defined Data Center” (SDDC); a VMware virtualized resource layer.

To that end, VMware provides an OpenStack installer (which ships as an OVF package). VMware argues it will let you trivially deploy OpenStack to an existing VMware infrastructure, configure it, and manage the controller services (to learn more, the SDDC2198 VMworld session includes a demo, and can be viewed online).

Note that, functionally, this is somewhat similar to what Mirantis provides with Mirantis Fuel.

Is It Still OpenStack When It’s VMware OpenStack?

Fundamentally, OpenStack’s functionality and core value proposition is to abstract away your virtualization infrastructure, and present standardized developer-friendly APIs.

Now, the APIs exposed by VMware OpenStack are the actual OpenStack APIs. So, yes, VMware OpenStack is in fact OpenStack. As such, it will be compatible with the ecosystem of tools that have been developed around OpenStack itself — including Cloud Management Platforms like Scalr.

Read More

Topics: OpenStack, Opinion, Cloud Platform, vCloud, Private Cloud, enterprise cloud, VMware

Welcome to the Scalr blog!

We build a Cloud Management tool that helps businesses efficiently design and manage infrastructure across multiple clouds.

Here, we post about our experience working with the Cloud, and building Scalr. On average, we do that twice a week.

Sometimes, we'll also cover Cloud-related news.

Subscribe to Email Updates