An extremely critical security issue was recently discovered in OpenSSL. It has been found affecting versions 1.0.1 through 1.0.1f. All CentOS 6.5 versions are packaged with OpenSSL 1.0.1e-15 are all vulnerable to this bug. Note that older stable CentOS versions are not vulnerable to this bug. All Ubuntu versions since Ubuntu 12.04. This bug even got its own name, “heartbleed”.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read and “steal” 64k of memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Fixing it is relatively simple now that most Linux distributions have pushed out changes to their repositories containing a fixed version of OpenSSL. In order to patch this vulnerability, affected users should update to the latest OpenSSL version. So, the update should be as easy as:
Fedora/CentOS:
yum clean all
yum check-update
yum update
Ubuntu/Debian:
sudo apt-get update
sudo apt-get upgrade openssl
If all went without errors, that’s it. Now, let’s make sure that we are running the version without security issues.
Fedora/CentOS:
rpm -qa | grep openssl
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64
Ubuntu/Debian:
openssl version
OpenSSL 1.0.1 14 Mar 2012
Now, after we made sure we are using the latest version, we need to regenerate your certificate using a new private key. This process is standard, first, we should create a certificate signing request, create a new key and then create the certificate itself (if we are using our own certificates, or send CSR to certificate authority issuer to create the new certificate). Then, replace the old certificate and start using the new ones.
The next step is to make sure that we restart all the services that are using SSL certificates. For example, if we have apache webserver we should execute:
Fedora/CentOS:
/etc/init.d/httpd restart
Ubuntu/Debian:
sudo service apache2 restart
We should do that same for any other webserver or any other service that we use (Nginx, vsftpd, MySQL etc). Now we can sit back and relax. We are protected from the Heartbleed bug.