In the morning of Tuesday, 8 April, we noticed that a bug had been reported in OpenSSL (CVE-2014-0160), called Heartbleed. This bug can only be found in third-party software. It enables hackers to read 64K of memory on a server that is running one of the OpenSSL versions affected by this issue.
The following versions of OpenSSL are affected:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
The following versions of OpenSSL are NOT affected:
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
The vulnerable versions have been used for over two years and have been adopted by many modern operating systems. Therefore, some operating systems have been distributed with a potentially vulnerable OpenSSL version.
Some of these operating systems include:
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c)
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
In order to check if one of your systems might be vulnerable to this bug, please check the following website: http://filippo.io/Heartbleed (http://s3.jspenguin.org/ssltest.py for the command line version). This website will check the URL of your website and will let you know if you have to take any action.
Many distributions like CentOS, Debian, and Ubuntu have already pushed updates for OpenSSL, and if you are running a supported OS version, you will be able to update OpenSSL by running one of the following commands:
Debian and Ubuntu:
- apt-get update & apt-get upgrade
- yum update
Please be advised that all services running on the system using OpenSSL needs to be restarted for the update to take effect.
For more information on the Heartbleed bug, please refer to the following website: http://heartbleed.com.