Does Heartbleed affect AWS Elastic Load Balancer?

The Heartbleed OpenSSL vulnerability (http://heartbleed.com/) affects OpenSSL 1.0.1 through 1.0.1f (inclusive)

I use Amazon Elastic Load Balancer to terminate my SSL connections. Is ELB vulnerable?


Solution 1:

Update 09/04/2014 1:00AM EST

Amazon has stated that all Elastic Load Balancers have been updated and are now longer vulnerable. They recommend rotating certs as well.

Update 08/04/2014 2:56PM CST

Amazon has stated that all Elastic Load Balancers except those in US-EAST-1 have been updated, and the vast majority of those in US-EAST-1 have been updated.

Update 08/04/2014 9:58PM PST

Amazon has confirmed that this affects the ELB platform and is currently working to mitigate the exploit. See the link below for the official response.


Yes, It is. most likely. Several people have stated that they've gotten responses from Amazon that ELB is affected by this issue. Frankly most SSL applications are affected by this with the notable exception of Cloudflare who seems to have gotten early warning.

Evidence suggesting as such:

https://forums.aws.amazon.com/thread.jspa?threadID=149690#jive-message-535248

See also:

http://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/