OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk
Mod Note -
[COLOR="#B22222">Official Response by the cPanel Security Team has been posted to the cPanel Blog:
Heartbleed Vulnerability Information - cPanel Blog
[HR][/HR]
Hi everyone. Any news on when OpenSSL 1.0.1g will be made available / pushed for us? Current version is 1.0.1e and that version is vulnerable to the OpenSSL Heartbleed bug.
[QUOTE]The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
[url=http://heartbleed.com/]Source. Test for vulnerability here. What is being leaked? Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug we have classified the compromised secrets to four categories:
[url=http://heartbleed.com/]Source. Test for vulnerability here. What is being leaked? Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug we have classified the compromised secrets to four categories:
- ]
- primary key material,
- secondary key material and
- protected content and
- collateral.
-
Regarding Heartbleed bug Hello, I've read a few forum posts regarding this but am a little confused and would appreciate some clarification. I checked my version of OpenSSL [QUOTE]root@node [~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 root@node [~]
I have used "yum update" and "yum update openssl" and Update server / system software via WHM and it appears no updates are made (from the output). I have restarted the server etc. I am on CentOS 6 and only installed WHM/Cpanel about 7 days ago on this new server. [QUOTE] root@node [~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 root@node [~]#
Which from what I read IS vulnerable. However, I also read that if the changelog has an update from Tomas Mraz regarding this, that I am using the "safe version". So my OpenSSL changelog output shows the following: [QUOTE] root@node [~]# rpm -q --changelog openssl-1.0.1e * Mon Apr 07 2014 Tom"" Mr"z 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
Am I right in assuming I am good to go here? I am just confused as the version of OpenSSL is reported as OpenSSL 1.0.1e-fips 11 Feb 2013 and was reported as this before I attempted any update? Thanks0 -
WHM " Software " Update System Software
, as posted by InfoPro, also works.0 -
[quote="MaraBlue, post: 1616281"> WHM " Software " Update System Software
, as posted by InfoPro, also works.
Mine ischeckyum version 21.1 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.adams.net * epel: ftp.osuosl.org * extras: ftp.osuosl.org * rpmforge: mirror.webnx.com * rpmfusion-free-updates: mirror.web-ster.com * updates: centos.mirror.facebook.net Setting up Update Process No Packages marked for Update checkyum version 21.1
My VPS has OpenSSL 1.0.1e-fips 11 Feb 2013 How can I update OpenSSL?0 -
Re: Regarding Heartbleed bug [quote="SludgeMeister, post: 1616242">Hello, I've read a few forum posts regarding this but am a little confused and would appreciate some clarification. I checked my version of OpenSSL I have used "yum update" and "yum update openssl" and Update server / system software via WHM and it appears no updates are made (from the output). I have restarted the server etc. I am on CentOS 6 and only installed WHM/Cpanel about 7 days ago on this new server. Which from what I read IS vulnerable. However, I also read that if the changelog has an update from Tomas Mraz regarding this, that I am using the "safe version". So my OpenSSL changelog output shows the following: Am I right in assuming I am good to go here? I am just confused as the version of OpenSSL is reported as OpenSSL 1.0.1e-fips 11 Feb 2013 and was reported as this before I attempted any update? Thanks
Your output from the changelog shows your version was backported or otherwise patched to fix this. You can check more info about the RPM with rpm -qi openssl Again, if your changelog shows the patch like yours does, you should be fine after restarting services.root@node [~]# rpm -q --changelog openssl-1.0.1e * Mon Apr 07 2014 Tom"" Mr"z 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
0 -
[quote="pauloray, post: 1616332">Mine is checkyum version 21.1 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.adams.net * epel: ftp.osuosl.org * extras: ftp.osuosl.org * rpmforge: mirror.webnx.com * rpmfusion-free-updates: mirror.web-ster.com * updates: centos.mirror.facebook.net Setting up Update Process No Packages marked for Update checkyum version 21.1
My VPS has OpenSSL 1.0.1e-fips 11 Feb 2013 How can I update OpenSSL?
What version of CentOS are you running? v5 isn't vulnerable.0 -
I'm assuming this one is ok: rpm -qi openssl Name : openssl Relocations: (not relocatable) Version : 1.0.1e Vendor: CentOS Release : 16.el6_5.7 Build Date: Tue 08 Apr 2014 03:43:19 BST 0 -
I have upgraded the kernel and everything else, but openSSL is not upgrading to 1.0.1g I have tried several times but actually CENTOS repository still delivery the 1.0.1e (which is bugged): # yum update openssl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.prometeus.net * extras: mirrors.prometeus.net * updates: mirrors.prometeus.net Setting up Update Process No Packages marked for Update Why CPanel is using "mirrors.prometeus.net" as repository? and why is not updated with latest patch? Thanks, Max 0 -
Hi, W.r.t. this OpenSSL vulnerability, I have opened a ticket ID 4794343. Though I could have posted my questions in here, but due to general security reasons, I had to put them in the ticket. I request cPanel techs to kindly go through it. It has been nearly 2 hrs. since I opened the ticket. Thanks Kirti 0 -
You will not receive 1.0.1g via centos repository no matter what you will try. You will get an updated 1.0.1e that contains a patch/fix for the described vulnerability. As described earlier on this topic, you can check this via : rpm -q --changelog openssl-1.0.1e|head
which should return: * Mon Apr 07 2014 Tom"" Mr""z 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension [quote="phoenixweb, post: 1616502">I have upgraded the kernel and everything else, but openSSL is not upgrading to 1.0.1g I have tried several times but actually CENTOS repository still delivery the 1.0.1e (which is bugged): # yum update openssl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.prometeus.net * extras: mirrors.prometeus.net * updates: mirrors.prometeus.net Setting up Update Process No Packages marked for Update Why CPanel is using "mirrors.prometeus.net" as repository? and why is not updated with latest patch? Thanks, Max0 -
To anyone still getting warnings from [url=http://filippo.io/Heartbleed/]Test your server for Heartbleed (CVE-2014-0160) simply try rebooting your server, most OS vendors have released a patch by now but it doesn't take affect until your server is restarted. 0 -
A reboot is not strictly necessary, because you can simply restart each service that uses OpenSSL, but you may find rebooting to be more convenient than restarting each service one by one. 0 -
I've updated openssl but even after a reboot, php info shows OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013 is this correct? rpm -q --changelog openssl-1.0.1e|head * Mon Apr 07 2014 Tom"" Mr""z 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension * Tue Jan 07 2014 Tom"" Mr""z 1.0.1e-16.4 - fix CVE-2013-4353 - Invalid TLS handshake crash * Mon Jan 06 2014 Tom"" Mr""z 1.0.1e-16.3 - fix CVE-2013-6450 - possible MiTM attack on DTLS1 * Fri Dec 20 2013 Tom"" Mr""z 1.0.1e-16.2 0 -
[quote="Legin76, post: 1616781">I've updated openssl but even after a reboot, php info shows OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013 is this correct?
Yes, the output you provided indicates the patch has been applied: [QUOTE] - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
The RPM is patched, so you won't necessarily see a new version. Instead, you will see the CVE listed in the RPM change log. Thank you.0 -
[quote="Bashed, post: 1616711">Not working for me. Already tried whm > software > update system software and update server software. Both had no updates. root@server [~]# rpm -qa |grep openssl openssl-1.0.1e-16.el6_5.x86_64 openssl-devel-1.0.1e-16.el6_5.x86_64
Please run the following command:rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
Look for output that indicates a patch for CVE-2014-0160 has been backported to determine if the RPM has been updated. Thank you.0 -
Just a bit of heads up: In my case Apachebooster compiles a version of nginx vulnerable to HeartBleed Bug. Temporarily removing Apachebooster until fix is my only solution. 0 -
[quote="phoenixweb, post: 1616502">Why CPanel is using "mirrors.prometeus.net" as repository? and why is not updated with latest patch? Thanks, Max
cPanel does not distribute OpenSSL packages. The OpenSSL packages and updates for them originate from your OS vendor and applicable YUM/RPM repositories. The mirror addresses may vary depending on your OS distribution and YUM configuration.0 -
so to confirm... this means my system is NOT vulnerable? [QUOTE][root@ ~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
If I go to the heartbleed site it still says I am vulnerable. Its very confusing!0 -
[quote="craigedmonds, post: 1617132">so to confirm... this means my system is NOT vulnerable? [root@ ~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 If I go to the heartbleed site it still says I am vulnerable. Its very confusing!
Run this command:rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
Look for output that indicates a patch for CVE-2014-0160 has been backported to determine if the RPM has been updated. Thank you.0 -
[quote="panayot, post: 1616032">You can check exact version with: rpm -qa |grep openssl
Answer for RHEL 6/Centos 6 should be:openssl-1.0.1e-16.el6_5.7.x86_64 openssl-devel-1.0.1e-16.el6_5.7.x86_64
Hello : if i check using the above command and i get exactly that answer.. that means my servers are OK and i not need any upgrade? Thanks :) Fabian0 -
Please see my previous post to this thread. While yes, newer versions should include the patch, you can verify this with a command such as: rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
Thanks.0 -
Hello Michael one of my servers : [~]# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 and : [~]# rpm -q --changelog openssl | grep -B 1 CVE-2014-0160 nothing display after that command also : [~]# yum update openssl Excluding Packages in global exclude list Finished Setting up Update Process No Packages marked for Update ?? Fabian 0 -
[quote="planetjoin, post: 1617211">one of my servers : [~]# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
RHEL/CentOS 5 servers which are using the OpenSSL 0.9.8 RPM included in the official OS repositories are not vulnerable since they are using an older version of OpenSSL that never contained this vulnerability.0 -
Is a graceful server reboot via WHM sufficient? I have done it and checked that the vulnerability is gone and it appears to have gone now. But is a graceful server reboot enough to restart all the effected services? Also is there a list of vulnerable ports available that I can test? Finally, after that is done I believe I still need to re-issue SSL certificates? Including service SSl certificates just to be safe? Then once that is done finally change passwords? Just want to be clear on this. Thanks 0 -
[quote="Squiz, post: 1617251">Is a graceful server reboot via WHM sufficient? I have done it and checked that the vulnerability is gone and it appears to have gone now. But is a graceful server reboot enough to restart all the effected services?
Yes. A reboot is still a reboot, and in doing so restarts all services. [quote="Squiz, post: 1617251">Also is there a list of vulnerable ports available that I can test?
A list of ports will vary based on what all you have running on your server; you can manually check via command-line which ports services are listening on and test those. Try lsof and netstat via CLI as root.man lsof man netstat
[quote="Squiz, post: 1617251">Finally, after that is done I believe I still need to re-issue SSL certificates? Including service SSl certificates just to be safe? Then once that is done finally change passwords? Just want to be clear on this. Thanks
Yes; I believe it is a very good idea to change passwords and create new keys to then re-issue SSL certificates.0 -
Is there any recommended way to patch and verify cPanel DNS Only servers? 0 -
Before i read this thread i just grep the openssl 1.0.1g from openssl, compile it and install it then i restart apache, it is working well now. Although i know cpanel will not recommand this, as this can break things down, but it is hard for us to update cpanel anyway, as we have many customer on the server. 0 -
[quote="markb14391, post: 1617401">Is there any recommended way to patch and verify cPanel DNS Only servers?
Just run 'yum -y update' as normal, reboot. Then check for the updated changelog with "rpm -q --changelog openssl | grep -B 1 CVE-2014-0160"0 -
Upgrading OpenSSL Is there a way to update OpenSSL within WHM? I have version 1.0.1e which means I'm affected by Heartbleed. I want to upgrade to 1.0.1g. 0 -
I have install the latest openssl version 1.0.1g on server. But the apache still show old version of openssl after stop/start apache (refer screenshot). Anyone know how to resolve? If using EasyApache to recompile apache, will it cause openssl version revert back to default version 0.9.8e which is much more older. .vB [QUOTE] :/>ssh -V OpenSSH_6.4p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 :/>openssl version OpenSSL 1.0.1g 7 Apr 2014
Thank you.0
Please sign in to leave a comment.
Comments
103 comments