It is public that Amazon's Elastic Load Balancers (ELBs) were vulnerable to the heartbleed exploit before they patched them all on April 8th. I understand that the memory of these ELBs (and therefore the certificates on them) could be compromised, but I'm curious if there was any risk of memory exposure of the EC2 instances behind these ELBs (given that the EC2 instances were not themselves vulnerable, nor accessible from external IP addresses).
Asked
Active
Viewed 238 times
1 Answers
2
No.
The heartbleed-bug only compromises the memory of the operating system process which uses OpenSSL. The memory of any other processes is not compromised. When load-balancer and application server are different processes AND the load-balancer acts as TLS server (instead of just routing the raw data-stream to the application server which then does the TLS), the memory of the application server can not be compromised.
Philipp
- 49,017
- 8
- 127
- 158