?
Solved

HeartBleed Vulnerability

Posted on 2014-04-10
5
Medium Priority
?
510 Views
Last Modified: 2014-04-11
I am running CenOS 5.x and 6.x on my several servers with Nginx and some with Apache almost all use Comodo SSL certificates. My question is how to mitigate the risk of HeartBleed Vulnerability? I have already update OpenSSL packages. Is that enough?
0
Comment
Question by:sysautomation
5 Comments
 
LVL 88

Assisted Solution

by:rindi
rindi earned 500 total points
ID: 39991190
You should also renew the SSL certificates you have, as those could have been copied while the vulnerability was still there. Besides, yum update to completely keep your OS up-to-date (not just SSL) should be done regularly, as there can always be other vulnerabilities that get patched that way.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 39991291
Agreed.

Step one is to visit https://www.ssllabs.com/ssltest/ or a similar testing site and verify you are properly patched now (it will also check some other common stuff for you at the same time)

Step Two is to *assume* that your server keys and user accounts could have been compromised and take the steps appropriate to that - obtain and install a new SSL key/cert pair, revoke the old cert, and advise customers that the bug may apply and to change their passwords as soon as possible.

I think one of the ironic things is that if you hadn't updated SSL since before March 2012, you were safe :)
0
 
LVL 36

Accepted Solution

by:
Seth Simmons earned 500 total points
ID: 39991571
unless you are running 6.5, it probably isn't an issue for you

OpenSSL CVE-2014-0160 Heartbleed bug and Red Hat Enterprise Linux
https://access.redhat.com/site/solutions/781793

if you don't have access to read that article, it states that RHEL 5 is not affected and RHEL 6 is not affected through release 4 when using openssl-1.0.0

Any system reportedly running Red Hat Enterprise Linux 6.5 is likely affected, but more specifically, any RHEL 6 system with versions of the openssl package from openssl-1.0.1e-15.el6 through openssl-1.0.1e-16.el6_5.4 is affected
0
 
LVL 21

Assisted Solution

by:Mazdajai
Mazdajai earned 500 total points
ID: 39992113
It impacts OpenSSL 1.0.1 through 1.0.1f.

If you are on 1.0.1 or 1.0.1g+, you are not affected and does not need to do anything.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39993546
one of those cases where you need to know what you upgraded from, I guess.

If you have upgraded openssl from 1.0.0 to 1.0.1 at any point, then you were vulnerable. if you have now gone to 1.0.1g then you are no longer vulnerable, but only by knowing if you WERE vulnerable do you know if that mattered...
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month14 days, 14 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question