dp.cx blog

Posted on

Filed under linux, openssl, puppet, and patch

CVE-2014-0160 which recently made headlines because of it's massive impact across the large majority of Internet-based services has allowed us to show that the return on investment with puppet is greater than 0. Here's how.

First, we needed to know how many of our servers were vulnerable. A quick puppet fact that looked like the following

 
Facter.add("openssl_version") do
  setcode do
    Facter::Util::Resolution.exec('/usr/bin/openssl version')
  end
end
 

allowed us to determine what boxes were running what versions of openssl. After determining what boxes were actually open to the public internet (and therefore required earliest patching), we determined we'd have an outage at midnight. A simple puppet line solves the problem:

 
package { "openssl": ensure => "latest", }
 

The difference is, instead of needing separate outage windows for the public facing boxes and the rest of the boxes, puppet allows them to all be updated at once.