• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 732
  • Last Modified:

Open SSL Heartbleed question

Hi am trying to find out if my version of open SSL is vulnerable to the Heartbleed attack.

[root@server ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

[root@server ~]# rpm -qa | grep openssl
openssl-1.0.1e-16.el6_5.7.i686
openssl-1.0.1e-16.el6_5.7.x86_64

[root@server ~]#

I'm running cent os with plesk 11

Thanks!
0
helpchrisplz
Asked:
helpchrisplz
2 Solutions
 
rindiCommented:
Yes, every version between and including 1.0.1 and 1.0.1f is vulnerable. Use yum update to update your system, then get new SSL certificates, and after that, if your clients need to input a password when they access the SSL site, have them change that password.
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
It looks like yes

http://heartbleed.com/

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
0
 
helpchrisplzAuthor Commented:
ty
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Dave HoweSoftware and Hardware EngineerCommented:
Note however - the bug *only* applies if you are using openssl to offer an externally-facing secure server - so https, ldaps, imaps, even postgres - all apply.
If you are not offering such a service (so, only unencrypted services such as smtp or http) then there is no risk.
0
 
helpchrisplzAuthor Commented:
i did yum update with this output:

[root@server ~]# yum update
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
epel/metalink                                            |  25 kB     00:00
 * base: mirror.sov.uk.goscomb.net
 * epel: www.mirrorservice.org
 * extras: centos.hyve.com
 * updates: mirror.as29550.net
base                                                     | 3.7 kB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
Setting up Update Process
No Packages marked for Update
[root@ ~]#

Open in new window



it says No Packages marked for Update.
and when i re do the version commands its the same version as before.
I haven't restarted the server yet.
0
 
helpchrisplzAuthor Commented:
this says that there is a backported patch for older versions.

http://forums.cpanel.net/f185/openssl-heartbleed-bug-1-0-1g-encryption-keys-risk-401511-p4.html#post1617141

when i run
rpm -q --changelog openssl | grep -B 1 CVE-2014-0160

i get this output:

* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
--
* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension


so it looks like i must have a backported patch... :O
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now