Heartbleed SSL Vulnerability

  • Poly
  • Guru
  • Guru
  • User avatar
  • Posts: 1091
  • Loc: Same place you left me.

Post 3+ Months Ago

Everybody who operates their own website, whether it be on shared, dedicated, VPS, cloud or any other type of hosting should check to see if they are vulnerable to the Heartbleed SSL vulnerability. This effects OpenSSL versions 1.0.1 through 1.0.1f inclusively. On Linux some distro's 1.0.1e has been patched. For CentOS and RedHat, 1.0.1e-16.el6_5.7 has been patched to repair the vulnerability. On debian, 1.0.1e+deb7u5 has been patched. On Amazon AMI 1.0.1e-37.66 has been patched. For any other distro's please check their websites for documentation.

Please also be aware that ESXi as well as recent Linux based virtual appliances like VCSA and VMA also appear to be vulnerable.

You can check to see if your site is vulnerable by using Filippo.io.

For documentation on what Heartbleed is, visit Heartbleed.com.

It is exceedingly rare that a vulnerability is as serious as experts say it is. This is one of those rare cases. This effects over 66% of the web. If you are using other companies software or websites for your critical data it is prudent to check to see if they have patched.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

I get a server not found for that flippo.io link you provided. Not that I have a site to check, but others who do won't be able to.

Kind of makes you doubt the security... it's there but it's not working as well as it should :/

Thanks for the heads up.
  • Zealous
  • Guru
  • Guru
  • User avatar
  • Posts: 1241
  • Loc: Sydney

Post 3+ Months Ago

apparently this has been around for over 2 years and only just getting patched now.
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9089
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

I can also confirm this is a serious bug, and between the company I work for now and my own servers I have been busy checking to make sure nothing is vulnerable.

Another great tool to see if your website is vulnerable:

https://www.ssllabs.com/ssltest/

It also shows other issues you may not be aware of.

You can also type this from the command line in linux:

Code: [ Select ]
openssl version -a


to get an idea what version you are using. As Poly mentioned though, you may have a patched version.

On CentOS you can run the following command:

Code: [ Select ]
yum update


and then restart all of the services that use SSL, or better yet, restart the server itself so that you do not forget anything. To make sure you have installed a patched version you can type this at the command prompt in Linux:

Code: [ Select ]
rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160


and if you see something like:

Quote:
* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension


Then that would also confirm you have fixed it. Again make sure you restart the services though or it will be using the old version still. If you have your own dedicated machine and the privileges to reboot then you can do so with the following command:

Code: [ Select ]
/sbin/shutdown -r now


If you have a system administrator you may want to have them do all of this however.
  • Poly
  • Guru
  • Guru
  • User avatar
  • Posts: 1091
  • Loc: Same place you left me.

Post 3+ Months Ago

Bogey wrote:
I get a server not found for that flippo.io link you provided. Not that I have a site to check, but others who do won't be able to.

Kind of makes you doubt the security... it's there but it's not working as well as it should :/

Thanks for the heads up.



Thanks, typo! It is actually filippo.io. Fixed in the original post.


BWM: We had issues with restarting our services. We ended up having to kill the process and restart it. For some reason using a restart command was not functioning correctly. It would return the new version, but when we tested it for Heartbleed it was still working. We initially thought it was a bad repo, but turned out that we had to entirely kill the process to get it to work. Just as an FYI for anybody running into the same issue. As mentioned, rebooting the server would be ideal.

Post Information

  • Total Posts in this topic: 5 posts
  • Users browsing this forum: No registered users and 3 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.