In the morning of Tuesday, 8 April, we noticed that a bug had been reported in OpenSSL (CVE-2014-0160), called Heartbleed. This bug can only be found in third-party software. It enables hackers to read 64K of memory on a server that is running one of the OpenSSL versions affected by this issue.
The following versions of OpenSSL are affected:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
The following versions of OpenSSL are NOT affected:
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
The vulnerable versions have been used for over two years and have been adopted by many modern operating systems. Therefore, some operating systems have been distributed with a potentially vulnerable OpenSSL version.
Some of these operating systems include:
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c)
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
In order to check if one of your systems might be vulnerable to this bug, please check the following website: http://filippo.io/Heartbleed (http://s3.jspenguin.org/ssltest.py for the command line version). This website will check the URL of your website and will let you know if you have to take any action.
Many distributions like CentOS, Debian, and Ubuntu have already pushed updates for OpenSSL, and if you are running a supported OS version, you will be able to update OpenSSL by running one of the following commands:
Debian and Ubuntu:
- apt-get update & apt-get upgrade
CentOS:
- yum update
Please be advised that all services running on the system using OpenSSL needs to be restarted for the update to take effect.
For more information on the Heartbleed bug, please refer to the following website: http://heartbleed.com.
Rob
April 8, 2014 at 16:26The tool at filippo.io is under massive load, and as a result is prone to giving false positives. Two alternatives are:
https://www.hostinginnederland.nl/blog/internet-kwetsbaar-kritiek-heartbleed-lek-openssl-39 (clone, in Dutch)
http://possible.lv/tools/hb/ (in English)
sysadmin
April 8, 2014 at 20:51Thank you, very useful information.
Does anybody knows where to get patched openssl 1.0.1 rpm package for centos 5?
Peycho
April 11, 2014 at 7:19Also, a good idea is to re-generate your SSL certificates that you used previously.
Lucas R
April 14, 2014 at 12:37Would be good to mention, that services making use of openSSL also needs to be restarted, else it’s pointless to upgrade the library, if you’ll keep services running forever.
To find resources that needs to be restarted do:
lsof -n | grep ssl | grep DEL | awk ‘{print $1}’ | sort | uniq
It’s also important to know that theres an update for both openssl and openssl-devel.
On CentOS 6, the fixed version would be 1.0.1e-16.el6_5.7
@Sysadmin:
CentOS 5 is in general not affected, due to the version of openSSL it’s running (Lower than 1.0.0).