Patching OpenSSL (Heartbleed Vulnerability)

A security vulnerability in OpenSSL has been found known as Heartbleed. It's important to update your local version of OpenSSL to correct this issue. Below are the steps you can follow and make sure that the patch is installed on your system, Please have your system backup ready prior to making any changes.

Patched versions of OpenSSL on the most popular distros. If you've compiled from source, you'll need to compile and reinstall version 1.0.1g. Alternately you can recompile previous versions with the OPENSSL_NO_HEARTBEATS flag enabled to close the vulnerability.

Ubuntu and Debian

Please check the current version of your OpenSSL

$ openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Sat Mar  1 21:16:43 UTC 2014
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

Look at the version above. OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.

Please run command to update and upgrade your systems

 

sudo apt-get update
sudo apt-get upgrade

 

During the systems upgrade, you may be given a window that warns you about the security issue, and lists services that utilize OpenSSL and need to be restarted to apply the patch. You can add any additional services, by matching the init.d script name in this field.

If you do not see the windows during upgrade, you have to manually restart any services that use OpenSSL.

After updating the system, run the following command again to confirm the newer build is in place.

openssl version -a
OpenSSL 1.0.1g 14 Mar 2012
built on: Mon Apr  7 20:33:29 UTC 2014

 

CentOS

Check to see what your current OpenSSL version is:

openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Wed Jan  8 18:40:59 UTC 2014
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  dynamic

Carefully check the version line. OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.

  1. To update OpenSSL from the repositories, run:
yum -y install openssl

After updating the application, please run openssl version -a again to confirm the new build:

openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Apr  8 02:39:29 UTC 2014

Please manually restart any services that use OpenSSL.

Reissue All Certificates

As Heartbleed security bug has described that it allows hackers to read a portion of the memory on a vulnerable system, including private keys used in SSL key pairs, it's recomended that you reissue all key pairs. This can include keys used to create SSL certificates for web and mail servers. You may need to generate new CSRs and to reissue your SSL certificates.

  • Email, SSL
  • 56 Users Found This Useful
Was this answer helpful?

Related Articles

How to secure phpMyAdmin with .htaccess

phpMyAdmin is useful for users that want to connect to MySQL through a web interface.  Here we...