Update and Patch OpenSSL for Heartbleed Vulnerability

What is OpenSSL?

OpenSSL is a common cryptographic library which provides encryption, specifically SSL/TLS, for popular applications such as Apache (web), MySQL (database), e-mail, virtual private networks (VPNs), and more.


What is “the Heartbleed Bug”?

The Heartbleed Bug is a severe vulnerability in OpenSSL, known formally as “TLS heartbeat read overrun (CVE-2014-0160)“. As of April 07, 2014, a security advisory was released by OpenSSL.org, along with versions of OpenSSL that fix this vulnerability.


What are the risks?

In short, the risks are many. In most circumstances, this flaw allows an attacker to read the memory of servers running vulnerable versions of OpenSSL. This would allow attackers to impersonate users and services, and provide a means for data theft. For example, the exposed memory could include sensitive information such as private keys. If private keys are leaked, then it is possible that SSL certificates are compromised, and in that case should definitely be reissued.


What do I do?
  • Update and reboot your server immediately.
  • After the server has been rebooted, change all passwords associated with the server.
  • Consider getting your SSL certificates reissued.
 
Pre-Update Verification

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.


You can view which version of OpenSSL is installed by running the following command:

yum info openssl


You should receive information similar to the following:

Installed Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 16.el6_5.4
Size : 4.0 M
Repo : installed


In this case, 1.0.1e 16.el6_5.4 is vulnerable, and we’ll want to patch the server.

You can also check the local changelog to verify whether or not OpenSSL is patched against the vulnerability with the following command:

rpm -q --changelog openssl | grep CVE-2014-0160


If a result is not returned, then you must patch OpenSSL.

Installation


It’s a matter of just running one command for installation via yum:

yum update openssl


You should receive output similar to the following:

--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.4 will be updated
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update
--> Finished Dependency Resolution


You’ll be asked to confirm the download and installation; simply enter y to confirm. Once this command is complete, OpenSSL will be installed and updated.


Post-Update Verification


Again, just as in the Pre-Update Verification step, we’ll check the local changelog to verify whether or not OpenSSL is patched against the vulnerability:

rpm -q --changelog openssl | grep CVE-2014-0160


If your version of OpenSSL is now patched, then you’ll receive a result similar to:

- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension


It is also possible to verify the OpenSSL version with the following command:

openssl version -a


If your version of OpenSSL is now patched, then you’ll receive a result similar to:

OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Apr 8 02:39:29 UTC 2014


…with a date of Tue Apr 8 02:39:29 UTC 2014 or newer.

Critical: Restart Services or Reboot

At this point, all services using libssl MUST be restarted to complete the patching process. Or, it’s probably simpler and cleaner to just reboot the server. View a list of services using libssl with the following command:

lsof | grep -i libssl | grep DEL | awk '{print $1}' | sort | uniq

  • 80 Uživatelům pomohlo
Byla tato odpověď nápomocná?

Související články

How to List Compiled PHP Modules from Command Line

Pre-Flight Check These instructions are intended specifically for listing compiled PHP modules...

How to Install or Uninstall PECL Extensions

Pre-Flight Check These instructions are intended specifically for installing or uninstalling...

How to Install the MongoDB PHP Driver (Extension) on CentOS 6

Step 1: Setup Environment, Install PHP Extension & Application Repository (PEAR) As a matter...

How to Add a User and Grant Root Privileges on CentOS 6.5

Step 1: Add the User It’s just one simple command to add a user. In this case, we’re...

How to Add a User and Grant Root Privileges on Ubuntu 14.04

Step 1: Add the User It’s just one simple command to add a user. In this case, we’re...