• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 513
  • Last Modified:

HeartBleed Vulnerability

I am running CenOS 5.x and 6.x on my several servers with Nginx and some with Apache almost all use Comodo SSL certificates. My question is how to mitigate the risk of HeartBleed Vulnerability? I have already update OpenSSL packages. Is that enough?
4 Solutions
You should also renew the SSL certificates you have, as those could have been copied while the vulnerability was still there. Besides, yum update to completely keep your OS up-to-date (not just SSL) should be done regularly, as there can always be other vulnerabilities that get patched that way.
Dave HoweSoftware and Hardware EngineerCommented:

Step one is to visit https://www.ssllabs.com/ssltest/ or a similar testing site and verify you are properly patched now (it will also check some other common stuff for you at the same time)

Step Two is to *assume* that your server keys and user accounts could have been compromised and take the steps appropriate to that - obtain and install a new SSL key/cert pair, revoke the old cert, and advise customers that the bug may apply and to change their passwords as soon as possible.

I think one of the ironic things is that if you hadn't updated SSL since before March 2012, you were safe :)
Seth SimmonsSr. Systems AdministratorCommented:
unless you are running 6.5, it probably isn't an issue for you

OpenSSL CVE-2014-0160 Heartbleed bug and Red Hat Enterprise Linux

if you don't have access to read that article, it states that RHEL 5 is not affected and RHEL 6 is not affected through release 4 when using openssl-1.0.0

Any system reportedly running Red Hat Enterprise Linux 6.5 is likely affected, but more specifically, any RHEL 6 system with versions of the openssl package from openssl-1.0.1e-15.el6 through openssl-1.0.1e-16.el6_5.4 is affected
It impacts OpenSSL 1.0.1 through 1.0.1f.

If you are on 1.0.1 or 1.0.1g+, you are not affected and does not need to do anything.
Dave HoweSoftware and Hardware EngineerCommented:
one of those cases where you need to know what you upgraded from, I guess.

If you have upgraded openssl from 1.0.0 to 1.0.1 at any point, then you were vulnerable. if you have now gone to 1.0.1g then you are no longer vulnerable, but only by knowing if you WERE vulnerable do you know if that mattered...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now