Multiple Parallels products are potentially affected by the ‘Heartbleed Bug’ because they are based or installed on operating systems impacted by the OpenSSL CVE-2014-0160 vulnerabilities.
The OpenSSL group has published a solution at http://heartbleed.com/.
Additionally, please review and take action outlined in these Knowledgebase articles:
- For Parallels Automation: http://kb.parallels.com/en/120984
- For Parallels Business Automation Standard: http://kb.parallels.com/en/120986
- For Parallels Plesk Panel: http://kb.parallels.com/en/120990
- For Virtualization products: http://kb.parallels.com/en/120989
================================================================
Yesterday a new vulnerability was announced in OpenSSL 1.0.1 that allows an attacker to reveal up to 64kb of memory to a connected server. Parallels is working to assess any product specific issues as a result of this OpenSSL vulnerability. We encourage everyone running a server that uses OpenSSL to upgrade to version 1.0.1g to be protected. For previous versions of OpenSSL, re-compiling with the OPENSSL_NO_HEARTBEATS flag enabled will protect against this vulnerability. We will provide any product-specific updates as they become available.