Heartbleed: OpenSSL zero day vulnerability

In the morning of Tuesday, 8 April, we noticed that a bug had been reported in OpenSSL (CVE-2014-0160), called Heartbleed. This bug can only be found in third-party software. It enables hackers to read 64K of memory on a server that is running one of the OpenSSL versions affected by this issue.

The following versions of OpenSSL are affected:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

The following versions of OpenSSL are NOT affected:

  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

The vulnerable versions have been used for over two years and have been adopted by many modern operating systems. Therefore, some operating systems have been distributed with a potentially vulnerable OpenSSL version.

Some of these operating systems include:

  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c)
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

In order to check if one of your systems might be vulnerable to this bug, please check the following website: http://filippo.io/Heartbleed (http://s3.jspenguin.org/ssltest.py for the command line version). This website will check the URL of your website and will let you know if you have to take any action.

Many distributions like CentOS, Debian, and Ubuntu have already pushed updates for OpenSSL, and if you are running a supported OS version, you will be able to update OpenSSL by running one of the following commands:

Debian and Ubuntu:

  • apt-get update & apt-get upgrade


  • yum update

Please be advised that all services running on the system using OpenSSL needs to be restarted for the update to take effect.

For more information on the Heartbleed bug, please refer to the following website: http://heartbleed.com.

  1. sysadmin
    April 8, 2014 at 20:51

    Thank you, very useful information.

    Does anybody knows where to get patched openssl 1.0.1 rpm package for centos 5?

  2. Peycho
    April 11, 2014 at 7:19

    Also, a good idea is to re-generate your SSL certificates that you used previously.

  3. Lucas R
    Lucas R
    April 14, 2014 at 12:37

    Would be good to mention, that services making use of openSSL also needs to be restarted, else it’s pointless to upgrade the library, if you’ll keep services running forever.

    To find resources that needs to be restarted do:
    lsof -n | grep ssl | grep DEL | awk ‘{print $1}’ | sort | uniq

    It’s also important to know that theres an update for both openssl and openssl-devel.
    On CentOS 6, the fixed version would be 1.0.1e-16.el6_5.7

    CentOS 5 is in general not affected, due to the version of openSSL it’s running (Lower than 1.0.0).

Leave a Reply

Your email address will not be published. Required fields are marked *