Keeping up its promise, Google has issued security patch addressing the Heartbleed security vulnerability for its Compute Engine.
Last week, the company promised to patch affected services like Cloud SQL, Google Compute Engine and Google Search Appliances, while rolling out patches for key services affected by the Heartbleed bug, including updates to Search, Gmail, YouTube, Wallet, Play, Apps, App Engine, AdWords, DoubleClick, Maps, Maps Engine, Earth, Analytics, and Tag Manager.
“In light of new research on extracting keys using the Heartbleed bug, we are recommending that Google Compute Engine (GCE) customers create new keys for any affected SSL services,” the company wrote in the updated blog post.
Google said “Customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library. Please find instructions here.”
Google is reportedly still working on patches for Cloud SQL as well as Google Search Appliance (GSA) that is expected to be available soon. The company noted that the Google Enterprise Support Portal will be updated with the GSA patch and customers will also have to create new keys after patching their GSA.
Google also noted that all versions of Android are immune except Android 4.1.1 “Jelly Bean” software, released in July 2012, for which the company is distributing patching information to Android partners. The Guardians reports that millions of Android devices running Android 4.1.1 “Jelly Bean” around the world are vulnerable to Heartbleed bug.
Earlier this month, security researchers unveiled the Heartbleed encryption flaw in the OpenSSL which is perhaps the most serious Internet security vulnerability ever. The vulnerability, first introduced to the world on New Year’s Eve 2011 by a programmer Robin Seggelmann, has been undiscovered for around two years.
