Snappy

Helpdesk Support

Official Supportmonk Company Blog!

OpenSSL Heartbleed

April 8, 2014 , 10:18 pm


Heartbleed vulnerability within openssl has been notified by google security engineer. This allows to steal information(passwords, private communincations, credit card details etc.)  that is protected by SSL/TLS encryption which includes web service, email service , IM.

This bug was introduced in OpenSSL 1.0.1 and following versions are vulnerable

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

 

To test whether your server is vulnerable for this bug, you can use the URL given below.

http://filippo.io/Heartbleed/

http://possible.lv/tools/hb/

 

Fix :  You have to upgrade openssl version

Upgrading openssl is risky as it is linked with lot of other services. Easiest method to upgrade openssl would be using Axivo repo.

You can check openssl version using the following command

 

root@server [~]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Apr 8 02:39:29 UTC 2014
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,–noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/etc/pki/tls”
engines: rdrand dynamic
root@server [~]#

 

 

Install  ”Axivo” repo.

root@server [~]# rpm -ivh –nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
Retrieving http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
Preparing… ########################################### [100%]
1:axivo-release ########################################### [100%]
root@server [~]# yum –enablerepo=axivo update openssl

 

Now you have upgraded openssl version

root@server [~]# openssl version -a
OpenSSL 1.0.1g 7 Apr 2014
built on: Mon Apr 7 15:55:48 EDT 2014
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O3 -g -m64 -mtune=nocona -m128bit-long-double -mmmx -msse3 -mfpmath=sse -Wa,–noexecstack -fomit-frame-pointer -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/etc/pki/tls”
engines: rsax rdrand dynamic

 

Cloudlinux/Cpanel server:

If you are running cloudlinux/cpanel server, you can follow the steps given below.

 

# yum clean all
# yum update openssl
# cagefsctl --force-update
# /etc/init.d/httpd stop
# /etc/init.d/httpd start

LiteSpeed Web Server 4.2.9 was released this morning as a security patch to address the OpenSSL Heartbleed bug. As noted on Heartbleed.com This vulnerability should affect versions 4.2.5-8 and 5.0 RC1. If you use one of these versions, we highly recommend you upgrade to LSWS 4.2.9 as soon as possible.

The easiest way to upgrade is by using the lsup command: /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.9

Some users have experienced an issue with the lsup command that causes it to try to download from the wrong address. This can be fixed by removing your /usr/local/lsws/autoupdate/release directory.

Envelope Icon

Get Updates Your Email!

Subscribe to Supportmonk and receive blog posts to your email!

Subscribe Via Email

SupportMonk on Facebook


Outsourced Customer Support