OpenSSL Vulnerabilities - A Few Tips On How To Be Safe

8 April 2014 | by Melbourne Admin

You might have noticed over the past 12 hours that a severe OpenSSL advisory has been announced.

You can find much more comprehensive information at http://heartbleed.com/ if you'd just prefer to skip ahead to the gory details.

 

The long and short of it is as follows:

  • Linux server customers are most likely to be affected, but there could be edge cases for Windows server customers that utilise OpenSSL. If you're a Windows server customer and don't know if you use OpenSSL, you likely don't.
  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.
  • The bug allows malicious clients to view 65Kb chunks of de-crypted system memory. This can be done many times to build a picture of the contents of your system memory (RAM). This *could* be used to disclose information such as the SSL private key; the private counterpart to your public SSL certificate.
  • Most (if not all) vendors have released patches that are now ready to be installed. These are patched versions of 1.0.1e. If you update your OpenSSL today or in the future, you'll have a patched version installed.
  • After installing the updated OpenSSL package you should restart any system services which depend on SSL encryption, such as HTTP servers, mail servers etc.
  • Despite the bug being present for ~2 years in OpenSSL, it is only present on the very latest stable/long-term support versions of the distros that we offer.

The following distro versions that we offer and support are reported to be vulnerable:

  • Debian 7.x "Wheezy" (stable)
  • Ubuntu 12.04.4 "Precise" (LTS)
  • CentOS 6.5

Please note: Even if your distribution is CentOS 6.4 for example, you may have previously updated to the vulnerable version of OpenSSL that was first supplied with CentOS 6.5. We would advise all people running servers on Centos 6.x to attempt the OpenSSL upgrades regardless. The same is true for all versions of RHEL 6.x, Debian 7.x and Ubuntu 12.04.x.

Any older distributions vendor-supplied OpenSSL packages are based on OpenSSL 0.9.8 or 1.0.0, and are not vulnerable.

Managed servers with Melbourne have now all been updated to the latest available version of OpenSSL, tested, and confirmed to be non-vulnerable. Unmanaged server customers can do the following when logged into a server to install the update:

For Debian/Ubuntu:

sudo apt-get update && sudo apt-get -y install openssl libssl1.0.0

Restart any services that might be dependent on SSL, such as apache2, postfix, exim4 etc.

(credit to Darren Wilders for the tweak)

For CentOS/RHEL:

sudo yum -y update openssl

# If using cPanel, use the following line too:
sudo yum -y update openssl-devel

Restart any services that might be dependent on SSL, such as httpd, postfix, exim etc.

As usual, if you have any further questions, please get in touch with us via the comments system or via the usual support channels.

Like what you've read?