Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Open SSL Heartbleed question

Posted on 2014-04-11
6
Medium Priority
?
729 Views
Last Modified: 2014-04-13
Hi am trying to find out if my version of open SSL is vulnerable to the Heartbleed attack.

[root@server ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

[root@server ~]# rpm -qa | grep openssl
openssl-1.0.1e-16.el6_5.7.i686
openssl-1.0.1e-16.el6_5.7.x86_64

[root@server ~]#

I'm running cent os with plesk 11

Thanks!
0
Comment
Question by:helpchrisplz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 88

Assisted Solution

by:rindi
rindi earned 1000 total points
ID: 39994056
Yes, every version between and including 1.0.1 and 1.0.1f is vulnerable. Use yum update to update your system, then get new SSL certificates, and after that, if your clients need to input a password when they access the SSL site, have them change that password.
0
 
LVL 54

Accepted Solution

by:
Scott Fell,  EE MVE earned 1000 total points
ID: 39994059
It looks like yes

http://heartbleed.com/

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
0
 
LVL 1

Author Closing Comment

by:helpchrisplz
ID: 39994117
ty
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 39994479
Note however - the bug *only* applies if you are using openssl to offer an externally-facing secure server - so https, ldaps, imaps, even postgres - all apply.
If you are not offering such a service (so, only unencrypted services such as smtp or http) then there is no risk.
0
 
LVL 1

Author Comment

by:helpchrisplz
ID: 39997346
i did yum update with this output:

[root@server ~]# yum update
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
epel/metalink                                            |  25 kB     00:00
 * base: mirror.sov.uk.goscomb.net
 * epel: www.mirrorservice.org
 * extras: centos.hyve.com
 * updates: mirror.as29550.net
base                                                     | 3.7 kB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
Setting up Update Process
No Packages marked for Update
[root@ ~]#

Open in new window



it says No Packages marked for Update.
and when i re do the version commands its the same version as before.
I haven't restarted the server yet.
0
 
LVL 1

Author Comment

by:helpchrisplz
ID: 39997361
this says that there is a backported patch for older versions.

http://forums.cpanel.net/f185/openssl-heartbleed-bug-1-0-1g-encryption-keys-risk-401511-p4.html#post1617141

when i run
rpm -q --changelog openssl | grep -B 1 CVE-2014-0160

i get this output:

* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
--
* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension


so it looks like i must have a backported patch... :O
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question