Skip to main content

OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

Comments

103 comments

  • SludgeMeister
    Regarding Heartbleed bug Hello, I've read a few forum posts regarding this but am a little confused and would appreciate some clarification. I checked my version of OpenSSL [QUOTE]root@node [~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 root@node [~]
    I have used "yum update" and "yum update openssl" and Update server / system software via WHM and it appears no updates are made (from the output). I have restarted the server etc. I am on CentOS 6 and only installed WHM/Cpanel about 7 days ago on this new server. [QUOTE] root@node [~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 root@node [~]#
    Which from what I read IS vulnerable. However, I also read that if the changelog has an update from Tomas Mraz regarding this, that I am using the "safe version". So my OpenSSL changelog output shows the following: [QUOTE] root@node [~]# rpm -q --changelog openssl-1.0.1e * Mon Apr 07 2014 Tom"" Mr"z 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
    Am I right in assuming I am good to go here? I am just confused as the version of OpenSSL is reported as OpenSSL 1.0.1e-fips 11 Feb 2013 and was reported as this before I attempted any update? Thanks
    0
  • MaraBlue
    WHM " Software " Update System Software
    , as posted by InfoPro, also works.
    0
  • pauloray
    [quote="MaraBlue, post: 1616281">WHM " Software " Update System Software
    , as posted by InfoPro, also works.
    Mine is checkyum version 21.1 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.adams.net * epel: ftp.osuosl.org * extras: ftp.osuosl.org * rpmforge: mirror.webnx.com * rpmfusion-free-updates: mirror.web-ster.com * updates: centos.mirror.facebook.net Setting up Update Process No Packages marked for Update checkyum version 21.1
    My VPS has OpenSSL 1.0.1e-fips 11 Feb 2013 How can I update OpenSSL?
    0
  • quizknows
    Re: Regarding Heartbleed bug [quote="SludgeMeister, post: 1616242">Hello, I've read a few forum posts regarding this but am a little confused and would appreciate some clarification. I checked my version of OpenSSL I have used "yum update" and "yum update openssl" and Update server / system software via WHM and it appears no updates are made (from the output). I have restarted the server etc. I am on CentOS 6 and only installed WHM/Cpanel about 7 days ago on this new server. Which from what I read IS vulnerable. However, I also read that if the changelog has an update from Tomas Mraz regarding this, that I am using the "safe version". So my OpenSSL changelog output shows the following: Am I right in assuming I am good to go here? I am just confused as the version of OpenSSL is reported as OpenSSL 1.0.1e-fips 11 Feb 2013 and was reported as this before I attempted any update? Thanks
    Your output from the changelog shows your version was backported or otherwise patched to fix this. You can check more info about the RPM with rpm -qi openssl Again, if your changelog shows the patch like yours does, you should be fine after restarting services. root@node [~]# rpm -q --changelog openssl-1.0.1e * Mon Apr 07 2014 Tom"" Mr"z 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
    0
  • MaraBlue
    [quote="pauloray, post: 1616332">Mine is checkyum version 21.1 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.adams.net * epel: ftp.osuosl.org * extras: ftp.osuosl.org * rpmforge: mirror.webnx.com * rpmfusion-free-updates: mirror.web-ster.com * updates: centos.mirror.facebook.net Setting up Update Process No Packages marked for Update checkyum version 21.1
    My VPS has OpenSSL 1.0.1e-fips 11 Feb 2013 How can I update OpenSSL?
    What version of CentOS are you running? v5 isn't vulnerable.
    0
  • serichards
    I'm assuming this one is ok: rpm -qi openssl Name : openssl Relocations: (not relocatable) Version : 1.0.1e Vendor: CentOS Release : 16.el6_5.7 Build Date: Tue 08 Apr 2014 03:43:19 BST
    0
  • phoenixweb
    I have upgraded the kernel and everything else, but openSSL is not upgrading to 1.0.1g I have tried several times but actually CENTOS repository still delivery the 1.0.1e (which is bugged): # yum update openssl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.prometeus.net * extras: mirrors.prometeus.net * updates: mirrors.prometeus.net Setting up Update Process No Packages marked for Update Why CPanel is using "mirrors.prometeus.net" as repository? and why is not updated with latest patch? Thanks, Max
    0
  • garhiyal
    Hi, W.r.t. this OpenSSL vulnerability, I have opened a ticket ID 4794343. Though I could have posted my questions in here, but due to general security reasons, I had to put them in the ticket. I request cPanel techs to kindly go through it. It has been nearly 2 hrs. since I opened the ticket. Thanks Kirti
    0
  • InterServed
    You will not receive 1.0.1g via centos repository no matter what you will try. You will get an updated 1.0.1e that contains a patch/fix for the described vulnerability. As described earlier on this topic, you can check this via : rpm -q --changelog openssl-1.0.1e|head
    which should return: * Mon Apr 07 2014 Tom"" Mr""z 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension [quote="phoenixweb, post: 1616502">I have upgraded the kernel and everything else, but openSSL is not upgrading to 1.0.1g I have tried several times but actually CENTOS repository still delivery the 1.0.1e (which is bugged): # yum update openssl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.prometeus.net * extras: mirrors.prometeus.net * updates: mirrors.prometeus.net Setting up Update Process No Packages marked for Update Why CPanel is using "mirrors.prometeus.net" as repository? and why is not updated with latest patch? Thanks, Max
    0
  • ChrisUpjohn
    To anyone still getting warnings from [url=http://filippo.io/Heartbleed/]Test your server for Heartbleed (CVE-2014-0160) simply try rebooting your server, most OS vendors have released a patch by now but it doesn't take affect until your server is restarted.
    0
  • JaredR.
    A reboot is not strictly necessary, because you can simply restart each service that uses OpenSSL, but you may find rebooting to be more convenient than restarting each service one by one.
    0
  • Legin76
    I've updated openssl but even after a reboot, php info shows OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013 is this correct? rpm -q --changelog openssl-1.0.1e|head * Mon Apr 07 2014 Tom"" Mr""z 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension * Tue Jan 07 2014 Tom"" Mr""z 1.0.1e-16.4 - fix CVE-2013-4353 - Invalid TLS handshake crash * Mon Jan 06 2014 Tom"" Mr""z 1.0.1e-16.3 - fix CVE-2013-6450 - possible MiTM attack on DTLS1 * Fri Dec 20 2013 Tom"" Mr""z 1.0.1e-16.2
    0
  • cPanelMichael
    [quote="Legin76, post: 1616781">I've updated openssl but even after a reboot, php info shows OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013 is this correct?
    Yes, the output you provided indicates the patch has been applied: [QUOTE] - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
    The RPM is patched, so you won't necessarily see a new version. Instead, you will see the CVE listed in the RPM change log. Thank you.
    0
  • cPanelMichael
    [quote="Bashed, post: 1616711">Not working for me. Already tried whm > software > update system software and update server software. Both had no updates. root@server [~]# rpm -qa |grep openssl openssl-1.0.1e-16.el6_5.x86_64 openssl-devel-1.0.1e-16.el6_5.x86_64
    Please run the following command: rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
    Look for output that indicates a patch for CVE-2014-0160 has been backported to determine if the RPM has been updated. Thank you.
    0
  • divemasterza
    Just a bit of heads up: In my case Apachebooster compiles a version of nginx vulnerable to HeartBleed Bug. Temporarily removing Apachebooster until fix is my only solution.
    0
  • cPanelDon
    [quote="phoenixweb, post: 1616502">Why CPanel is using "mirrors.prometeus.net" as repository? and why is not updated with latest patch? Thanks, Max
    cPanel does not distribute OpenSSL packages. The OpenSSL packages and updates for them originate from your OS vendor and applicable YUM/RPM repositories. The mirror addresses may vary depending on your OS distribution and YUM configuration.
    0
  • craigedmonds
    so to confirm... this means my system is NOT vulnerable? [QUOTE][root@ ~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
    If I go to the heartbleed site it still says I am vulnerable. Its very confusing!
    0
  • cPanelMichael
    [quote="craigedmonds, post: 1617132">so to confirm... this means my system is NOT vulnerable? [root@ ~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 If I go to the heartbleed site it still says I am vulnerable. Its very confusing!
    Run this command: rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
    Look for output that indicates a patch for CVE-2014-0160 has been backported to determine if the RPM has been updated. Thank you.
    0
  • planetjoin
    [quote="panayot, post: 1616032">You can check exact version with: rpm -qa |grep openssl
    Answer for RHEL 6/Centos 6 should be: openssl-1.0.1e-16.el6_5.7.x86_64 openssl-devel-1.0.1e-16.el6_5.7.x86_64
    Hello : if i check using the above command and i get exactly that answer.. that means my servers are OK and i not need any upgrade? Thanks :) Fabian
    0
  • cPanelMichael
    Please see my previous post to this thread. While yes, newer versions should include the patch, you can verify this with a command such as: rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
    Thanks.
    0
  • planetjoin
    Hello Michael one of my servers : [~]# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 and : [~]# rpm -q --changelog openssl | grep -B 1 CVE-2014-0160 nothing display after that command also : [~]# yum update openssl Excluding Packages in global exclude list Finished Setting up Update Process No Packages marked for Update ?? Fabian
    0
  • cPanelMichael
    [quote="planetjoin, post: 1617211">one of my servers : [~]# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
    RHEL/CentOS 5 servers which are using the OpenSSL 0.9.8 RPM included in the official OS repositories are not vulnerable since they are using an older version of OpenSSL that never contained this vulnerability.
    0
  • Squiz
    Is a graceful server reboot via WHM sufficient? I have done it and checked that the vulnerability is gone and it appears to have gone now. But is a graceful server reboot enough to restart all the effected services? Also is there a list of vulnerable ports available that I can test? Finally, after that is done I believe I still need to re-issue SSL certificates? Including service SSl certificates just to be safe? Then once that is done finally change passwords? Just want to be clear on this. Thanks
    0
  • cPanelDon
    [quote="Squiz, post: 1617251">Is a graceful server reboot via WHM sufficient? I have done it and checked that the vulnerability is gone and it appears to have gone now. But is a graceful server reboot enough to restart all the effected services?
    Yes. A reboot is still a reboot, and in doing so restarts all services. [quote="Squiz, post: 1617251">Also is there a list of vulnerable ports available that I can test?
    A list of ports will vary based on what all you have running on your server; you can manually check via command-line which ports services are listening on and test those. Try lsof and netstat via CLI as root. man lsof man netstat
    [quote="Squiz, post: 1617251">Finally, after that is done I believe I still need to re-issue SSL certificates? Including service SSl certificates just to be safe? Then once that is done finally change passwords? Just want to be clear on this. Thanks
    Yes; I believe it is a very good idea to change passwords and create new keys to then re-issue SSL certificates.
    0
  • fdnven
    Niffy chrome app
    0
  • markb14391
    Is there any recommended way to patch and verify cPanel DNS Only servers?
    0
  • adv
    Before i read this thread i just grep the openssl 1.0.1g from openssl, compile it and install it then i restart apache, it is working well now. Although i know cpanel will not recommand this, as this can break things down, but it is hard for us to update cpanel anyway, as we have many customer on the server.
    0
  • Monsta_AU
    [quote="markb14391, post: 1617401">Is there any recommended way to patch and verify cPanel DNS Only servers?
    Just run 'yum -y update' as normal, reboot. Then check for the updated changelog with "rpm -q --changelog openssl | grep -B 1 CVE-2014-0160"
    0
  • subwoofer12
    Upgrading OpenSSL Is there a way to update OpenSSL within WHM? I have version 1.0.1e which means I'm affected by Heartbleed. I want to upgrade to 1.0.1g.
    0
  • netbuilder
    I have install the latest openssl version 1.0.1g on server. But the apache still show old version of openssl after stop/start apache (refer screenshot). Anyone know how to resolve? If using EasyApache to recompile apache, will it cause openssl version revert back to default version 0.9.8e which is much more older. .vB [QUOTE] :/>ssh -V OpenSSH_6.4p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 :/>openssl version OpenSSL 1.0.1g 7 Apr 2014
    Thank you.
    0

Please sign in to leave a comment.