wave
Uncategorized

How To Mitigate & Fix OpenSSL Heartbeat on CentOS or Ubuntu.

Mohammed Naser

Mohammed Naser

An extremely critical security issue was recently discovered in OpenSSL. It has been found affecting versions 1.0.1 through 1.0.1f. All CentOS 6.5 versions are packaged with OpenSSL 1.0.1e-15 are all vulnerable to this bug. Note that older stable CentOS versions are not vulnerable to this bug. All Ubuntu versions since Ubuntu 12.04. This bug even got its own name, “heartbleed”.

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read and “steal” 64k of memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Fixing it is relatively simple now that most Linux distributions have pushed out changes to their repositories containing a fixed version of OpenSSL. In order to patch this vulnerability, affected users should update to the latest OpenSSL version. So, the update should be as easy as:

**Fedora/CentOS**
# yum clean all
# yum check-update
# yum update

**Ubuntu/Debian**
# sudo apt-get update
# sudo apt-get upgrade openssl

If all went without errors, that’s it. Now, let’s make sure that we are running the version without security issues.

**Fedora/CentOS**
# rpm -qa | grep openssl
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64

**Ubuntu/Debian**
# openssl version
OpenSSL 1.0.1 14 Mar 2012

Now, after we made sure we are using the latest version, we need to regenerate your certificate using a new private key. This process is standard, first, we should create a certificate signing request, create a new key and then create the certificate itself (if we are using our own certificates, or send CSR to certificate authority issuer to create the new certificate). Then, replace the old certificate and start using the new ones.

The next step is to make sure that we restart all the services that are using SSL certificates. For example, if we have apache webserver we should execute:

**Fedora/CentOS**
# /etc/init.d/httpd restart

**Ubuntu/Debian**
# sudo service apache2 restart

We should do that same for any other webserver or any other service that we use (Nginx, vsftpd, MySQL etc). Now we can sit back and relax. We are protected from the Heartbleed bug.

 

Don’t forget to follow us on Twitter for news, updates and announcements – @vexxhost.

Would you like to know about Zuul, a CI/CD project gating tool? Download our white paper and get reading!

How to up your DevOps game with Project Gating

Share on Social Media:

OpenStack

Cluster API driver for OpenStack Magnum

Mohammed Naser

Public Cloud

9000 MTUs (jumbo frames) in all Public Cloud Regions

Mohammed Naser

Uncategorized

OpenInfra Summit Berlin 2022 VEXXHOST Recap

Mohammed Naser

Go to Top