OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk
Mod Note -
[COLOR="#B22222">Official Response by the cPanel Security Team has been posted to the cPanel Blog:
Heartbleed Vulnerability Information - cPanel Blog
[HR][/HR]
Hi everyone. Any news on when OpenSSL 1.0.1g will be made available / pushed for us? Current version is 1.0.1e and that version is vulnerable to the OpenSSL Heartbleed bug.
[QUOTE]The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
[url=http://heartbleed.com/]Source. Test for vulnerability here. What is being leaked? Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug we have classified the compromised secrets to four categories:
[url=http://heartbleed.com/]Source. Test for vulnerability here. What is being leaked? Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug we have classified the compromised secrets to four categories:
- ]
- primary key material,
- secondary key material and
- protected content and
- collateral.
-
[quote="magicalwonders, post: 1625192">Do I need to do something about this and generate self-signed certificates? I have two IP addresses. My primary, which WHM is installed on is a shared IP with other domains, plus I have another domain on a dedicated IP address. My understanding is that SSL can only be installed on dedicated IP addresses? Maybe I have missunderstood that?
1. You would only need to consider regenerating certificates that were already installed/generated prior to when your system was patched. If no certificates were installed/previously generated, then it's not required. Remember to reset the service certificates in "WHM Home " Service Configuration " Manage Service SSL Certificates". 2. A dedicated IP address is not required for SSL certificates. Your system can utilize SNI and install multiple certificates on a single IP assuming you are using CentOS/Redhat 6+. Thank you.0 -
[quote="cPanelMichael, post: 1626362">1. You would only need to consider regenerating certificates that were already installed/generated prior to when your system was patched. If no certificates were installed/previously generated, then it's not required. Remember to reset the service certificates in "WHM Home " Service Configuration " Manage Service SSL Certificates". 2. A dedicated IP address is not required for SSL certificates. Your system can utilize SNI and install multiple certificates on a single IP assuming you are using CentOS/Redhat 6+. Thank you.
OK thanks. I reset all the service cetificates, so I guess everything is good again. :)0 -
OpenSSL / Heartbleed / cPanel - how to update? Total newbie - go easy on me! Our host, Heart Internet, recently e-mailed us to inform us that their systems were vulnerable to the Heartbleed issue. We have a VPS with them running CentOS6 and an SSL certificate installed. Heart Internet won't, however, support us in fixing the issue suggesting, rather, that "if we don't know how to do it then maybe you should read a guide". :confused: I am completely new to VPS management and this has worried the life out of me because I can't seem to get things updated. I worked out that I needed to use "Putty" to access the server using "shell"? (stop laughing!) and we entered the following, as recommended by Heart Internet: openssl version We are shown: OpenSSL 1.0.1e-fips 11 Feb 2013 We have run through almost all of the update advice posted here: [url=http://stackoverflow.com/questions/22952287/how-to-upgrade-openssl-in-centos-6-5-linux-unix-from-source]security - How to upgrade OpenSSL in CentOS 6.5 / Linux / Unix from source? - Stack Overflow ..but despite it, we are still shown "OpenSSL 1.0.1e-fips 11 Feb 2013" in shell when we run "openssl version". So, we tried this, following advice in forums: To verify the update simply check the changelog: # rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160 you should see the following: * Mon Apr 07 2014 Tom"" Mr"z 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension ...which we do! If we go to the following test site we are also told that our server is ok: 0 -
Re: OpenSSL / Heartbleed / cPanel - how to update? Total newbie - go easy on me! [quote="nathonjones, post: 1627251">Heart Internet are refusing to accept this because running "openssl version" always returns "OpenSSL 1.0.1e-fips 11 Feb 2013"
Could you have them review the the blog post here so they are familiar with how to determine if a system is affected by the issue? Thanks.0 -
Openssl : heart bleed upgrade Hello Guys, I am unable to upgrade openssl in my server. Please see the logs below. =============== yum update openssl Loaded plugins: fastestmirror, refresh-updatesd, rhnplugin Loading mirror speeds from cached hostfile * cloudlinux-x86_64-server-5: xmlrpc.cln.cloudlinux.com * epel: mirror.es.its.nyu.edu Excluding Packages in global exclude list Finished Setting up Update Process No Packages marked for Update root@hawk [/usr/src/openssl-1.0.1g/crypto]# yum update Loaded plugins: fastestmirror, refresh-updatesd, rhnplugin Loading mirror speeds from cached hostfile * cloudlinux-x86_64-server-5: xmlrpc.cln.cloudlinux.com * epel: mirror.es.its.nyu.edu Excluding Packages in global exclude list Finished Setting up Update Process No Packages marked for Update =============== # rpm -qa |grep openssl openssl-devel-0.9.8e-27.el5_10.1 openssl-0.9.8e-27.el5_10.1 openssl-devel-0.9.8e-27.el5_10.1 openssl-0.9.8e-27.el5_10.1 ================ # openssl version -a -bash: openssl: command not found ================ tried to install lates version from source. make throws following error. -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -c -o cryptlib.o cryptlib.c :0: internal compiler error: in builtin_function, at c-decl.c:2846 Please submit a full bug report, with preprocessed source if appropriate. See for instructions. make[1]: *** [cryptlib.o] Error 1 make[1]: Leaving directory `/usr/src/openssl-1.0.1g/crypto' make: *** [build_crypto] Error 1 ========================== 0 -
Re: Openssl : heart bleed upgrade [quote="sreeninair, post: 1627832">I am unable to upgrade openssl in my server. Please see the logs below.
RHEL/CentOS 5 servers (this would extend to Cloud Linux 5), which are using the OpenSSL 0.9.8 RPM included in the official OS repositories, are not vulnerable to the Heartbleed issue since they are using an older version of OpenSSL that never contained this vulnerability. This is from the following blog post: [url=http://cpanel.net/heartbleed-vulnerability-information/]Heartbleed Vulnerability Information | cPanel, Inc. Thanks.0 -
Re: OpenSSL / Heartbleed / cPanel - how to update? Total newbie - go easy on me! [quote="nathonjones, post: 1627251"> So, we tried this, following advice in forums: To verify the update simply check the changelog: # rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160 you should see the following: * Mon Apr 07 2014 Tom"" Mr"z 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension ...which we do! If we go to the following test site we are also told that our server is ok:
If you see that changelog and have rebooted then you are fine. CentOS / RHEL often "backports" software, meaning you see a version that looks the same, but it has patches added to it. If the0 -
Re: OpenSSL / Heartbleed / cPanel - how to update? Total newbie - go easy on me! What about curlssl? [url=http://www.webhostingtalk.com/showthread.php?p=9103994#post9103994]curlSSL - Openssl heart bleed bug may not updated - Hosting Security and Technology - Web Hosting Talk phpinfo shows curl using OpenSSL 1.0.0...what's the proper procedure to udpate? Are there any other binaries compiled with non-updated OpenSSL versions? thanks 0 -
The thread you referenced suggests running EasyApache. Do you notice the same OpenSSL version difference in your phpinfo file after running EasyApache? Thank you. 0 -
Re: OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk Yes I did and it has the same version in phpinfo, Open SSL 1.0.0. yum update has no updates for it either. [COLOR="silver">- - - Updated - - - ...but I didn't # rm -rf /opt/curlssl as the poster suggested...wanted to hear if that would break anything first. actually just found out that OpenSSL 1.0.0 branch is NOT vulnerable, so that's OK for now. 0 -
Heartbleed-OpenSSL Vulnerability Hi, Maldet is showing following warning regarding heartbleed vulnerability. [QUOTE]ATTENTION !! OpenSSL heartbleed vulnerability detected in openssl-1.0.1e-30.el6_5.2.x86_64 package, run 'yum update -y openssl' and restart server immediately!
We have checked it using following cmd. [QUOTE] # rpm -q --changelog openssl | grep CVE-2014-0224 - fix CVE-2014-0224 fix that broke EAP-FAST session resumption support - fix CVE-2014-0224 - SSL/TLS MITM vulnerability
So please let us know if there is still any problem with openssl. More info: [QUOTE]# rpm -qa |grep openssl openssl-1.0.1e-30.el6_5.2.x86_64 openssl098e-0.9.8e-18.el6_5.2.x86_64 openssl-devel-1.0.1e-30.el6_5.2.x86_64 # arch x86_64 # cat /etc/redhat-release CentOS release 6.5 (Final)
Thanks, RaviJas0 -
Re: Heartbleed-OpenSSL Vulnerability You may find this blog post useful: Heartbleed Vulnerability Information - cPanel Blog 0
Please sign in to leave a comment.
Comments
103 comments