April 9, 2014

Posted in:

Heartbleed OpenSSL Bug

heartbleedThere has been a lot of talk on the Internet of a new OpenSSL bug called Heartbleed / CVE-2014-0160. Edge has already taken protective measures to prevent an attack and a ticket has been generated for each server that is potentially affected by this. To see if your server(s) is/are affected, please log into the Support Portal and view your most recent tickets. If there are tickets with the subject: IMPORTANT: OpenSSL Vulnerability on <server>, your server(s) is/are potentially affected.

What is the vulnerability?

With vulnerable versions of OpenSSL, an attacker can read the memory of the system that has the vulnerable version installed. This can allow attackers to eavesdrop on any communication coming into and out of the server, potentially including the private key for SSL certificates. The attack leaves no trace of anything occurring which makes it difficult to detect. Due to the sensitive nature of the private keys, you may wish to reissue any SSLs for security reasons.

Is my server vulnerable?

To determine if your server is vulnerable, run the following command as root and compare the output to the following range of vulnerable software: openssl-1.0.1e-15 through openssl-1.0.1e-16.el6_5.4

rpm -q openssl

If the command reports openssl-1.0.1e-16.el6_5.7.x86_64, OpenSSL has been patched and the server is not vulnerable to the bug. If the version reported is between openssl-1.0.1e-15 and openssl-1.0.1e-16.el6_5.4, the server is vulnerable. This bug only affects RHEL version 6.5 and greater. The version of OpenSSL that was shipped with RHEL version 6.4 and below is not affected unless OpenSSL was upgraded manually. To check the version of RHEL the server is running, run the following command (either will work):

cat /etc/issue
cat /etc/redhat-release

How is the bug fixed?

To update the software, log into the server, become root, and run the following command:

yum update openssl -y && service httpd restart

This will upgrade OpenSSL to the latest version and restart Apache (take off the portion of the command starting with “&&” if you’re not running Apache).

Go back