Solved

HeartBleed Vulnerability

Posted on 2014-04-10
5
504 Views
Last Modified: 2014-04-11
I am running CenOS 5.x and 6.x on my several servers with Nginx and some with Apache almost all use Comodo SSL certificates. My question is how to mitigate the risk of HeartBleed Vulnerability? I have already update OpenSSL packages. Is that enough?
0
Comment
Question by:sysautomation
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 88

Assisted Solution

by:rindi
rindi earned 125 total points
ID: 39991190
You should also renew the SSL certificates you have, as those could have been copied while the vulnerability was still there. Besides, yum update to completely keep your OS up-to-date (not just SSL) should be done regularly, as there can always be other vulnerabilities that get patched that way.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 125 total points
ID: 39991291
Agreed.

Step one is to visit https://www.ssllabs.com/ssltest/ or a similar testing site and verify you are properly patched now (it will also check some other common stuff for you at the same time)

Step Two is to *assume* that your server keys and user accounts could have been compromised and take the steps appropriate to that - obtain and install a new SSL key/cert pair, revoke the old cert, and advise customers that the bug may apply and to change their passwords as soon as possible.

I think one of the ironic things is that if you hadn't updated SSL since before March 2012, you were safe :)
0
 
LVL 35

Accepted Solution

by:
Seth Simmons earned 125 total points
ID: 39991571
unless you are running 6.5, it probably isn't an issue for you

OpenSSL CVE-2014-0160 Heartbleed bug and Red Hat Enterprise Linux
https://access.redhat.com/site/solutions/781793

if you don't have access to read that article, it states that RHEL 5 is not affected and RHEL 6 is not affected through release 4 when using openssl-1.0.0

Any system reportedly running Red Hat Enterprise Linux 6.5 is likely affected, but more specifically, any RHEL 6 system with versions of the openssl package from openssl-1.0.1e-15.el6 through openssl-1.0.1e-16.el6_5.4 is affected
0
 
LVL 21

Assisted Solution

by:Mazdajai
Mazdajai earned 125 total points
ID: 39992113
It impacts OpenSSL 1.0.1 through 1.0.1f.

If you are on 1.0.1 or 1.0.1g+, you are not affected and does not need to do anything.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39993546
one of those cases where you need to know what you upgraded from, I guess.

If you have upgraded openssl from 1.0.0 to 1.0.1 at any point, then you were vulnerable. if you have now gone to 1.0.1g then you are no longer vulnerable, but only by knowing if you WERE vulnerable do you know if that mattered...
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question