How to patch OpenSSL Heartbleed vulnerability

Recently a vulnerability discovered with certain versions of OpenSSL . OpenSSL is a toolkit which implements SSL/TLS protocols as well as general cryptography for various operating systems. This vulnerability can provide a backdoor for attackers to gain access to confidential information.

The following OpenSSL versions were affected by Heartbleed vulnerability:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

CentOS 5.x were not affected byt this vulnerabilities because it uses 0.9.8 brach for OpenSSL.

How to check OpenSSL version?

You can check your OpenSSL version via SSH. Please refer Check OpenSSL version.

How to patch OpenSSL Heartbleed vulnerability?

If you are using CentOS 6 or RedHat Enterprise 6, you can apply this patch using the following commands:

[1] Login to your server via SSH. Make sure you have root access.

[2] Run the following command in SSH console:

yum update openssl

Please note that it may return that there is no update found for this. It is possible that automatic (OS updates (if you have configured)) may have applied this patch aleready.

[3] Once the yum update is completed, run the following command to confirm whether the patch is applied or not:

rpm -q –changelog openssl | grep -iE ‘CVE-2014-0160’

The output of the above command should be as follow:

– fix CVE-2014-0160 – information disclosure in TLS heartbeat extension

You may still notice openssl-1.0.1e-16.el6_5.7.x86_64 version but this is not vulnerable. The backport number “5.7” is the lastest and this vulnerability was patched in this version. It is not necessary to install OpenSSL version 1.0.1g.

Once you complete all the above steps, it is necessary to STOP (NOT RESTART) all services which are using OpenSSL (i.e. Http, cPanel, SSH etc.) and START them again. Do NOT RESTART the services. If you are not sure which other services are using OpenSSL, it is strongly recommended to reboot the entire server.

If you are using ClouldLinux, please refer CloudLinux 6 OpenSSL Security Update post to apply Heartbleed patch. For LiteSpeed webserver, please refer LiteSpeed Web Server Security Update post to apply this patch.

Once you stop and start all necessary services, you can test for this vulnerability online from the following URLs:

https://filippo.io/Heartbleed/
https://www.ssllabs.com/ssltest/
https://possible.lv/tools/hb/

Heartbleed vulnerability does not affect Microsoft servers because IIS uses Microsoft’s own cryptographic software library.

Leave a Reply