Engine Yard stacks on Gentoo are not currently running a version of OpenSSL greater than 1.0.0. which removes it from the scope of this vulnerability. The current issue facing our customers with this vulnerability presents itself with the use of AWS ELB’s and our Ubuntu offerings, which do run a version of OpenSSL that is vulnerable in CVE-2014-0160.
AWS has updated their ELB offerings to address the vulnerability: https://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/ Contrary to the statement in the link, all ELBs in use by Engine Yard, and in the Engine Yard pool of resources, have been updated in all regions, including US East.
At this time, if you have been using an ELB in your environment, it is recommended that you rotate your SSL certificates. If running on our Ubuntu stack, open a support ticket and Engine Yard Support can verify that your environment is secure.
Apr 8, 21:10 UTC
If you're using Engine Yard Cloud on AWS without ELB’s you are not affected. Please read https://support.cloud.engineyard.com/entries/50554018-April-7-2014-OpenSSL-security-vulnerability for more details.
Apr 8, 03:45 UTC