Solved

Open SSL Heartbleed question

Posted on 2014-04-11
6
719 Views
Last Modified: 2014-04-13
Hi am trying to find out if my version of open SSL is vulnerable to the Heartbleed attack.

[root@server ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

[root@server ~]# rpm -qa | grep openssl
openssl-1.0.1e-16.el6_5.7.i686
openssl-1.0.1e-16.el6_5.7.x86_64

[root@server ~]#

I'm running cent os with plesk 11

Thanks!
0
Comment
Question by:helpchrisplz
6 Comments
 
LVL 88

Assisted Solution

by:rindi
rindi earned 250 total points
ID: 39994056
Yes, every version between and including 1.0.1 and 1.0.1f is vulnerable. Use yum update to update your system, then get new SSL certificates, and after that, if your clients need to input a password when they access the SSL site, have them change that password.
0
 
LVL 52

Accepted Solution

by:
Scott Fell,  EE MVE earned 250 total points
ID: 39994059
It looks like yes

http://heartbleed.com/

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
0
 
LVL 1

Author Closing Comment

by:helpchrisplz
ID: 39994117
ty
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 39994479
Note however - the bug *only* applies if you are using openssl to offer an externally-facing secure server - so https, ldaps, imaps, even postgres - all apply.
If you are not offering such a service (so, only unencrypted services such as smtp or http) then there is no risk.
0
 
LVL 1

Author Comment

by:helpchrisplz
ID: 39997346
i did yum update with this output:

[root@server ~]# yum update
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
epel/metalink                                            |  25 kB     00:00
 * base: mirror.sov.uk.goscomb.net
 * epel: www.mirrorservice.org
 * extras: centos.hyve.com
 * updates: mirror.as29550.net
base                                                     | 3.7 kB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
Setting up Update Process
No Packages marked for Update
[root@ ~]#

Open in new window



it says No Packages marked for Update.
and when i re do the version commands its the same version as before.
I haven't restarted the server yet.
0
 
LVL 1

Author Comment

by:helpchrisplz
ID: 39997361
this says that there is a backported patch for older versions.

http://forums.cpanel.net/f185/openssl-heartbleed-bug-1-0-1g-encryption-keys-risk-401511-p4.html#post1617141

when i run
rpm -q --changelog openssl | grep -B 1 CVE-2014-0160

i get this output:

* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
--
* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension


so it looks like i must have a backported patch... :O
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question