Tech Blog

Security Notice: CVE-2014-0160 / Heartbleed OpenSSL Vulnerability

 

Over the last couple of days our team has been hard at work to address the newly-disclosed CVE-2014-0160 vulnerability (a.k.a. Heartbleed). We’ve completed proofing our service against the bug by upgrading our OpenSSL libraries, replacing certificates and changing the credentials. While we have no reason to suspect that our service’s security had been breached, we strongly recommend that all our users change all their passwords and certificates by following the steps in the sections below:

Instructions for Users Who Log In via Redis Labs Website

To prevent unauthorized access to your Redis Labs account, change your login password:

  1. Login to your account at http://redislabs.com/?login=1.

  2. Click the Profile top menu entry to access your profile.

  3. Enter your new password and click Save to apply the change.

Next, you should change the password of your Redis Cloud and Memcached Cloud resources. To do so, follow these steps from your account’s console:

  1. Access the Manage Resources page by clicking the MY RESOURCES->Manage menu entry.

  2. Change the password of each of your Redis Cloud and SASL Authentication-enabled Memcached Cloud resources:

    1. Click the resource to select it and view its properties.

    2. Click the Edit button at the bottom of the page.

    3. Enter a new password in the Redis Password field (or the SASL Authentication Password field for Memcached Cloud resources).

    4. Click the Update button at the bottom of the page to apply the change.

If you are subscribed to our SSL-protected Redis Cloud and Memcached Cloud plans, we strongly recommend that you replace your resources’ certificates. This can be done by editing your resource and generating or uploading a new client certificate under the SSL Client Authentication section.

Lastly, once you’ve changed the password of a Redis Labs cloud resource, you’ll need to apply the change to your application’s environment as well.

Instructions for Heroku Users

To change the password of your Redis Cloud or Memcached Cloud Add-On resources, follow these steps:

  1. Login to your Heroku account at https://id.heroku.com/login.

  2. Navigate to your app’s add-ons and click on the Redis Cloud (or Memcached Cloud) add-on to access the add-on’s console.

  3. Access the Manage Databases page by clicking the MY DATABASES->Manage menu entry (or MY BUCKETS->Manage menu entry for the Memcached Cloud add-on).

  4. Change the password of each of your Redis Cloud (and Memcached Cloud) resources:

    1. Click the resource to select it and view its properties.

    2. Click the Edit button at the bottom of the page.

    3. Enter a new password in the Redis Password field (or the SASL Authentication Password field for Memcached Cloud resources).

    4. Click the Update button at the bottom of the page to apply the change.

Once you’ve changed the password of a Redis Labs cloud resource, you’ll need to apply the change to your application’s environment as well. To update your Heroku app’s environment with a new Redis Cloud password, use the CLI to modify the config var in the following manner for the Redis Cloud add-on:

$ heroku config:set REDISCLOUD_URL=redis://rediscloud:<password>@<host>:<port>

Similarly, if your app uses our Memcached Cloud add-on, use the following syntax:

$ heroku config:set MEMCACHEDCLOUD_URL=memcached://<user>:<password>@<host>:<port>

Please make sure you replace the placeholders (e.g. <password>, <host>, <port>,…) with the information that’s relevant to your resource. Also note that any changes to your application’s config vars will restart your application.

Instructions for CloudFoundry Users

To change the password of your Redis Cloud or Memcached Cloud Add-On resources, follow these steps:

  1. Login to your CloudFoundry account at https://login.run.pivotal.io/login.

  2. Navigate to your app’s add-ons and click on the Redis Cloud (or Memcached Cloud) add-on to access the add-on’s console.

  3. Access the Manage Databases page by clicking the MY DATABASES->Manage menu entry (or MY BUCKETS->Manage menu entry for the Memcached Cloud add-on).

  4. Change the password of each of your Redis Cloud (and Memcached Cloud) resources:

    1. Click the resource to select it and view its properties.

    2. Click the Edit button at the bottom of the page.

    3. Enter a new password in the Redis Password field (or the SASL Authentication Password field for Memcached Cloud resources).

    4. Click the Update button at the bottom of the page to apply the change.

Once you’ve changed the password of a Redis Labs cloud resource, you’ll need to apply the change to your application’s environment as well. To update the VCAP_SERVICES environment variable of your CloudFoundry app with your Redis Cloud connection details, use the CLI as follows (formatted for readability):

$ cf set-env –app <appname> –name VCAP_SERVICES –value ‘{

rediscloud-n/a: [

{

name: “rediscloud-42”,

label: “rediscloud-n/a”,

plan: “<plan>”,

credentials: {

port: “<port>”,

hostname: “<host>”,

password: “<password>”

}

}

]

}’

The same approach should be used for your Memcached Cloud resource:

$ cf set-env –app <appname> –name VCAP_SERVICES –value ‘{

memcachedcloud-n/a: [

{

name: “memcachedcloud-42”,

label: “memcachedcloud-n/a”,

plan: “<plan>”,

credentials: {

servers: “<host>:<port>”,

username: “<user>”,

password: “<password>”

}

}

]

}’

Important: if your VCAP_SERVICES variable consists of additional services, make sure these are not overwritten by the password update.

Please make sure you replace the placeholders (e.g. <password>, <host>, <port>,…) with the information that’s relevant to your resource. Also note that any changes to your application’s evironment variables will restart your application.

Instructions for AppHarbor Users

To change the password of your Redis Cloud or Memcached Cloud Add-On resources, follow these steps:

  1. Login to your AppHarbor account at https://appharbor.com/session/new.

  2. Navigate to your app’s add-ons and click on the Redis Cloud (or Memcached Cloud) add-on to access the add-on’s console.

  3. Access the Manage Databases page by clicking the MY DATABASES->Manage menu entry (or MY BUCKETS->Manage menu entry for the Memcached Cloud add-on).

  4. Change the password of each of your Redis Cloud (and Memcached Cloud) resources:

    1. Click the resource to select it and view its properties.

    2. Click the Edit button at the bottom of the page.

    3. Enter a new password in the Redis Password field (or the SASL Authentication Password field for Memcached Cloud resources).

    4. Click the Update button at the bottom of the page to apply the change.

Once you’ve changed the password of a Redis Labs cloud resource, you’ll need to apply the change to your application’s environment as well. To update the configuration variables of your AppHarbor application, access the Configuration Variables tab in your AppHarbor console. Once at that tab, locate the REDISCLOUD_URL variable (or MEMCACHEDCLOUD_URL variable) and edit its value to reflect your database’s new password.

Note that any changes to your application’s configuration variables will restart your application.

Instructions for AppFog Users

To change the password of your Redis Cloud or Memcached Cloud Add-On resources, follow these steps:

  1. Login to your AppFog account at https://console.appfog.com/login.

  2. Navigate to your app’s add-ons and click on the Redis Cloud (or Memcached Cloud) add-on to access the add-on’s console.

  3. Access the Manage Databases page by clicking the MY DATABASES->Manage menu entry (or MY BUCKETS->Manage menu entry for the Memcached Cloud add-on).

  4. Change the password of each of your Redis Cloud (and Memcached Cloud) resources:

    1. Click the resource to select it and view its properties.

    2. Click the Edit button at the bottom of the page.

    3. Enter a new password in the Redis Password field (or the SASL Authentication Password field for Memcached Cloud resources).

    4. Click the Update button at the bottom of the page to apply the change.

Once you’ve changed the password of a Redis Labs cloud resource, you’ll need to apply the change to your application’s environment as well. To update the configuration variables of your AppFog application, navigate to the Env Variables tab. Once at that tab, locate the REDISCLOUD_URL variable (or MEMCACHEDCLOUD_URL variable) and edit its value to reflect your database’s new password.

Note that any changes to your application’s env variables will restart your application.

Subscribe

Get the latest Blog posts by email.