Extremely critical security issue was recently discovered in OpenSSL. It has been found affecting versions 1.0.1 through 1.0.1f. All CentOS 6.5 versions are packaged with OpenSSL 1.0.1e-15 are all vulnerable to this bug. Note that older stable CentOS versions are not vulnerable to this bug. All Ubuntu versions since Ubuntu 12.04. This bug even got its own name, “heartbleed”.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read and “steal” 64k of memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Fixing it is relatively simple now that most Linux distributions have pushed out changes to their repositories containing a fixed version of OpenSSL. In order to patch this vulnerability, affected users should update to latest OpenSSL version. So, the update should be as easy as:
Fedora/CentOS # yum clean all # yum check-update # yum update Ubuntu/Debian # sudo apt-get update # sudo apt-get upgrade openssl
If all went without errors, that’s it. Now, let’s make sure that we are running version without security issues.
Fedora/CentOS # rpm -qa | grep openssl openssl-1.0.1e-16.el6_5.7.x86_64 openssl-devel-1.0.1e-16.el6_5.7.x86_64 Ubuntu/Debian # openssl version OpenSSL 1.0.1 14 Mar 2012
Now, after we made sure we are using latest version, we need to regenerate your certificate using a new private key. This process is standard, first we should create certificate signing request, create new key and then create the certificate its self (if we are using our own certificates, or send CSR to certificate authority issuer to create the new certificate). Then, replace the old certificate and start using the new ones.
The next step is to make sure that we restart all the services that are using SSL certificates. For example, if we have apache web server we should execute:
Fedora/CentOS # /etc/init.d/httpd restart Ubuntu/Debian # sudo service apache2 restart
We should do that same for any other webserver or any other service that we use (Nginx, vsftpd, MySQL etc). Now we can sit back and relax. We are protected from the Heartbleed bug.