Solved

Open SSL Heartbleed question

Posted on 2014-04-11
6
720 Views
Last Modified: 2014-04-13
Hi am trying to find out if my version of open SSL is vulnerable to the Heartbleed attack.

[root@server ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

[root@server ~]# rpm -qa | grep openssl
openssl-1.0.1e-16.el6_5.7.i686
openssl-1.0.1e-16.el6_5.7.x86_64

[root@server ~]#

I'm running cent os with plesk 11

Thanks!
0
Comment
Question by:helpchrisplz
6 Comments
 
LVL 88

Assisted Solution

by:rindi
rindi earned 250 total points
ID: 39994056
Yes, every version between and including 1.0.1 and 1.0.1f is vulnerable. Use yum update to update your system, then get new SSL certificates, and after that, if your clients need to input a password when they access the SSL site, have them change that password.
0
 
LVL 52

Accepted Solution

by:
Scott Fell,  EE MVE earned 250 total points
ID: 39994059
It looks like yes

http://heartbleed.com/

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
0
 
LVL 1

Author Closing Comment

by:helpchrisplz
ID: 39994117
ty
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 33

Expert Comment

by:Dave Howe
ID: 39994479
Note however - the bug *only* applies if you are using openssl to offer an externally-facing secure server - so https, ldaps, imaps, even postgres - all apply.
If you are not offering such a service (so, only unencrypted services such as smtp or http) then there is no risk.
0
 
LVL 1

Author Comment

by:helpchrisplz
ID: 39997346
i did yum update with this output:

[root@server ~]# yum update
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
epel/metalink                                            |  25 kB     00:00
 * base: mirror.sov.uk.goscomb.net
 * epel: www.mirrorservice.org
 * extras: centos.hyve.com
 * updates: mirror.as29550.net
base                                                     | 3.7 kB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
Setting up Update Process
No Packages marked for Update
[root@ ~]#

Open in new window



it says No Packages marked for Update.
and when i re do the version commands its the same version as before.
I haven't restarted the server yet.
0
 
LVL 1

Author Comment

by:helpchrisplz
ID: 39997361
this says that there is a backported patch for older versions.

http://forums.cpanel.net/f185/openssl-heartbleed-bug-1-0-1g-encryption-keys-risk-401511-p4.html#post1617141

when i run
rpm -q --changelog openssl | grep -B 1 CVE-2014-0160

i get this output:

* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
--
* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension


so it looks like i must have a backported patch... :O
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question