June 6, 2014

Posted in:

New Security Advisory Regarding An OpenSSL Vulnerability

KeyboardIn April 2014, Heartbleed and OpenSSL were in the news. From technologists to grandmothers everywhere, everyone was talking about Heartbleed. The good news is that the attention led to a significant number of eyes and scrutiny on code around OpenSSL.

A new advisory which discusses a different vulnerability for OpenSSL found by security researchers suggests a flaw in OpenSSL that could allow an attacker to gather data transmitted to the server and in a Man-in-the-Middle attack. This only works if the client and server are both vulnerable and it is therefore less severe and harder to exploit than Heartbleed.

Given that most modern browsers don’t use OpenSSL, and a Man-in-the-Middle attack is really difficult to pull off, the risk of exploitation is low. Nevertheless, we here at Edge believe that security of our customers is paramount and we will be patching all affected servers.

Besides the difficultly of the attack, the other good news is that because private keys are not at risk, there is no need for SSLs to be reissued.

Just as with the last vulnerability, Edge customer’s using load balancing, CDN, and DDOS protection are not affected externally, even if individual servers were vulnerable.

Edge recommends that OpenSSL be updated to the latest version. The advisory suggests updating to OpenSSL version 1.0.1h. However as Red Hat backports most of their versions, the latest version on RHEL servers is openssl-1.0.1e-16.el6_5.14.x86_64. Should you wish to verify the version of OpenSSL installed on a server, log into the server via SSH and run the following command:

rpm -qa | grep openssl

The output should be openssl-1.0.1e-16.el6_5.14.x86_64 and/or openssl-1.0.1e-16.el6_5.14.i686.rpm

If you wish to update the version of SSL installed on the server, please perform the following:

  • Log into the server via SSH.
  • Become root (sudo su -)
  • Run “yum clean all”
  • Once completed, run “yum update openssl –y”
  • Once downloaded and installed, restart any service that uses OpenSSL such as Apache, vsftpd, SSH.
    • To restart Apache, run “service httpd restart”
    • To restart vsftpd (if installed), run “service vsftpd restart”
    • To restart SSH, run “service sshd restart”
    • Any other services that potentially run OpenSSL should be restarted as well. The above services are the more common ones.

Go back