Security Advisory: Important OpenSSL Security Vulnerability
Posted by Kevin Stange on 08 April 2014 06:57 PM |
|
A vulnerability has recently been disclosed in OpenSSL which affects all systems running CentOS 6.5 or Debian 7 "Wheezy." This vulnerability is serious and may allow a remote user to discover the private key for any SSL certificates used with a service powered by OpenSSL. This typically includes most web servers, control panels and mail servers running on Linux. This vulnerability has existed for over two years in OpenSSL. CentOS did not include a vulnerable version of OpenSSL until the 6.5 release, which became available on December 1st, 2013. Debian 7 has included a vulnerable version of OpenSSL since it was released on May 4th, 2013 This issue is known as the "heartbleed" bug. Further technical information may be found at the Heartbleed information site. It has been assigned the ID CVE-2014-0160 in the Common Vunerabilities and Exposures database. Users of CentOS 5 and Debian 6 "Squeeze" are not affected. Windows servers do not use OpenSSL by default. You may wish to check any third-party software you have installed for bulletins and updates, if applicable. CentOS and Debian have patched this vulnerability as of April 7th, 2014. To completely patch this vulnerability, you must update your OpenSSL package and then restart all services that use OpenSSL. Please review the following directions for your installation below. Important: As this vulnerability has existed for a long time and it is not possible to know whether it has been exploited, you should use your control panel or OpenSSL tools to generate a new private key and certificate request for each certificate you have on your server. Then, use the "re-key" feature at your SSL certificate provider to generate a new certificate based on the new CSR file. If your SSL private key was able to be downloaded through the exploit, someone on the Internet might be able to view encrypted data when it is transmitted to or from your server or fool users into using a fake web site with your actual SSL certificate on it. You should not publish a new certificate until after you have applied the fix for your system. CentOS 6.5 To check which version of OpenSSL is installed, run the following command: rpm -q openssl The version number should be greater than or equal to 1.0.1e-16.el6_5.7 The notable number to look for is the ".7" at the end. If the last number is not 7 or higher, you will need to upgrade. If your version does not match, please run the following command and ensure an update to the openssl package is included: yum -y update openssl If no update is available, please try the following commands, then repeat the command above: yum clean metadata After the upgrade processes, you should restart your web server and any other services for which you have enabled SSL certificates. For example, to restart your web server, you can run the following command: service httpd restart If you have a control panel, you should step through each service listed in the "Services" area of the control panel and restart them one by one. If you have any doubts about which services to restart, we recommend restarting your entire server. You can do this by running the command: reboot Red Hat published the following advisories regarding this vulnerability:
Debian 7 To check which version of OpenSSL is installed, run the following command: dpkg -l openssl The version number should be greater than or equal to 1.0.1e-2+deb7u6 The notable part to look for is the "+deb7u6" at the end. If the last number is not 6 or higher, or the part after "+" is missing, you will need to upgrade. If your version does not match, please run the following command and ensure an update to the openssl and libssl1.0.0 packages are included: apt-get update After the upgrade processes, you should restart your web server and any other services for which you have enabled SSL certificates. Debian will list services that appear to need to be restarted. It is recommended that you accept the default list. If you have a control panel, you should step through each service listed in the "Services" area of the control panel and restart them one by one. If you have any doubts about which services to restart, we recommend restarting your entire server. You can do this by running the command: reboot Debian published the following advisory regarding this vulnerability:
If you have any questions or need assistance performing these upgrades, please contact us and we'll be happy to help. | |