HeartBleed-Passwords

Heartbleed is the nickname for a critical vulnerability discovered in some versions of OpenSSL, one of the most popular SSL libraries used in a number of open source products. The heartbleed.com website has been setup to provide more information about this bug and its affects.

If you are concerned about whether you, or a site you use is affected, there are a number of 3rd party sites that are offering testing services including: https://filippo.io/Heartbleed.

The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8 branch of OpenSSL.

Status of different versions:

Vulnerable OpenSSL versions:
============================

OpenSSL 1.0.1 vulnerable
OpenSSL 1.0.1a vulnerable
OpenSSL 1.0.1b vulnerable
OpenSSL 1.0.1c vulnerable
OpenSSL 1.0.1d vulnerable
OpenSSL 1.0.1e vulnerable
OpenSSL 1.0.1f vulnerable
through 1.0.1f (inclusive) are vulnerable.

NOT Vulnerable versions:
========================

OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

CentOS / Redhat release has already published the new patched version of OpenSSL1.0.1. Please check https://rhn.redhat.com/errata/RHSA-2014-0376.html

How to check Heartbleed Bug:
============================

You can check Heartbleed bug by using the following sites:

http://filippo.io/Heartbleed

https://www.ssllabs.com/ssltest

Make sure every thing is reported okay.

How to FIX OpenSSL Vulnerability
================================

The patched OpenSSL 1.0.1 RPM has already been published to the RHEL 6 and CentOS 6 repositories, so the only steps that should be necessary to update these servers are to run “yum update” to install the updated version of OpenSSL and then either fully restart all SSL-enabled services, including sshd, or reboot the server. I recommend rebooting the server so that no services are missed, and it also gives you the opportunity to install an updated kernel if one is available.

So if your system is prone to this vulnerability or reported as vulnerable from above sites then you may please proceed with the following steps:

# yum update

Make sure the newly installed OpenSSL version include patched CVEs (Common Vulnerabilities and Exposures).

# rpm -qa | grep openssl

Output Should look like:

# rpm -qa | grep openssl
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64

# rpm -q –changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160

Output Should look like:
————–
# rpm -q –changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
– fix CVE-2014-0160 – information disclosure in TLS heartbeat extension
————

[In cPanel servers]

Make sure you have the updated OpenSSL packages are installed, then try to rebuild your server software’s using:

# /scripts/easyapache

Restart all services like cPanel ,SSHD ,HTTPD ,Dovecot ,Pure-Ftpd ,MySQL and any other services that are using SSL libraries.I recommend rebooting the server so that no services are missed.

If your server is RHEL 5/Centos 5 then OpenSSL does not have the bug and its version would be something like openssl-0.9.8e. So CentOS/RHEL 5 users are safe from this vulnerability.
—-

Posted by blogadmin

Veeble has been a major player in the Web Hosting Industry since 2009. Over a short and sweet span of just 6 years, having built a client base of over 5,000 from 130+ Countries, we have become one of the fastest growing web hosting and domain providers, powering more than 20,000 websites to date.

Leave a reply