Solved

Open SSL Heartbleed question

Posted on 2014-04-11
6
721 Views
Last Modified: 2014-04-13
Hi am trying to find out if my version of open SSL is vulnerable to the Heartbleed attack.

[root@server ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

[root@server ~]# rpm -qa | grep openssl
openssl-1.0.1e-16.el6_5.7.i686
openssl-1.0.1e-16.el6_5.7.x86_64

[root@server ~]#

I'm running cent os with plesk 11

Thanks!
0
Comment
Question by:helpchrisplz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 88

Assisted Solution

by:rindi
rindi earned 250 total points
ID: 39994056
Yes, every version between and including 1.0.1 and 1.0.1f is vulnerable. Use yum update to update your system, then get new SSL certificates, and after that, if your clients need to input a password when they access the SSL site, have them change that password.
0
 
LVL 52

Accepted Solution

by:
Scott Fell,  EE MVE earned 250 total points
ID: 39994059
It looks like yes

http://heartbleed.com/

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
0
 
LVL 1

Author Closing Comment

by:helpchrisplz
ID: 39994117
ty
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 39994479
Note however - the bug *only* applies if you are using openssl to offer an externally-facing secure server - so https, ldaps, imaps, even postgres - all apply.
If you are not offering such a service (so, only unencrypted services such as smtp or http) then there is no risk.
0
 
LVL 1

Author Comment

by:helpchrisplz
ID: 39997346
i did yum update with this output:

[root@server ~]# yum update
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
epel/metalink                                            |  25 kB     00:00
 * base: mirror.sov.uk.goscomb.net
 * epel: www.mirrorservice.org
 * extras: centos.hyve.com
 * updates: mirror.as29550.net
base                                                     | 3.7 kB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
Setting up Update Process
No Packages marked for Update
[root@ ~]#

Open in new window



it says No Packages marked for Update.
and when i re do the version commands its the same version as before.
I haven't restarted the server yet.
0
 
LVL 1

Author Comment

by:helpchrisplz
ID: 39997361
this says that there is a backported patch for older versions.

http://forums.cpanel.net/f185/openssl-heartbleed-bug-1-0-1g-encryption-keys-risk-401511-p4.html#post1617141

when i run
rpm -q --changelog openssl | grep -B 1 CVE-2014-0160

i get this output:

* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
--
* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension


so it looks like i must have a backported patch... :O
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question