Openssl Heartbleed Vulnerability
A serious OpenSSL vulnerability has been found, and is named Heartbleed and it affected all servers running OpenSSL versions from 1.0.01 to 1.0.1f. Openssl Heartbleed Vulnerability can be used to get the Private key of a SSL connection, so it is important to update / patch your server immediately. This bug is fixed in OpenSSL version 1.0.1g. All major Linux Distros have already released updates for Hartbleed vulnerability
The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8 branch of OpenSSL some sources report 1.0.2-beta is also affected by this bug at the time of writing, however it is a beta product and I would really recommend not to use beta quality releases for something as fundamentally important as OpenSSL in production
OpenSSL 1.0.1 vulnerable OpenSSL 1.0.1a vulnerable OpenSSL 1.0.1b vulnerable OpenSSL 1.0.1c vulnerable OpenSSL 1.0.1d vulnerable OpenSSL 1.0.1e vulnerable OpenSSL 1.0.1f vulnerable
OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
The patched OpenSSL 1.0.1 RPM has already been published to the RHEL 6 and CentOS 6 repositories, so the only steps that should be necessary to update these servers are to run “yum update” to install the updated version of OpenSSL and then either fully restart all SSL-enabled services, including sshd, or reboot the server. I recommend rebooting the server so that no services are missed, and it also gives you the opportunity to install an updated kernel if one is available.
So if your system is prone to this vulnerability or reported as vulnerable from above sites then you may please proceed with the following steps
# yum update
Make sure you have the updated OpenSSL packages are installed, then try to rebuild your server softwareâ€™s using:
Make sure the newly installed OpenSSL version include patched CVEs (Common Vulnerabilities and Exposures).
# rpm -qa | grep openssl
Output Should look like:
# rpm -qa | grep openssl openssl-1.0.1e-16.el6_5.7.x86_64 openssl-devel-1.0.1e-16.el6_5.7.x86_64
# rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
Output Should look like:
# rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160 * Mon Apr 07 2014 TomÃ¡Å¡ MrÃ¡z <email@example.com> 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
Restart all services like cPanel ,SSHD ,HTTPD ,Dovecot ,Pure-Ftpd ,MySQL and any other services that are using SSL libraries.I recommend rebooting the server so that no services are missed.
If your server is RHEL 5/Centos 5 then OpenSSL does not have the bug and its version would be something like openssl-0.9.8e. So CentOS/RHEL 5 users are safe from this vulnerability.