OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

JaredR.

Well-Known Member
Feb 25, 2010
1,834
24
143
Houston, TX
cPanel Access Level
Root Administrator
A reboot is not strictly necessary, because you can simply restart each service that uses OpenSSL, but you may find rebooting to be more convenient than restarting each service one by one.
 

Bashed

Well-Known Member
Dec 18, 2013
146
4
68
cPanel Access Level
Root Administrator
Not working for me. Already tried whm > software > update system software and update server software. Both had no updates.

[email protected] [~]# cat /etc/redhat-release
CloudLinux Server release 6.5 (Pavel Popovich)

[email protected] [~]# yum update openssl
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
Setting up Update Process
No Packages marked for Update


[email protected] [~]# rpm -qi openssl
Name : openssl Relocations: (not relocatable)
Version : 1.0.1e Vendor: CloudLinux
Release : 16.el6_5 Build Date: Wed 04 Dec 2013 06:14:22 AM CST
Install Date: Thu 05 Dec 2013 01:37:11 AM CST Build Host: koji.cloudlinux.com


ro[email protected] [~]# rpm -qa |grep openssl
openssl-1.0.1e-16.el6_5.x86_64
openssl-devel-1.0.1e-16.el6_5.x86_64


Also, I'm getting conflicting results between these two tools for the same domains/ports:
http://filippo.io/Heartbleed/
http://rehmann.co/projects/heartbeat/
 
Last edited:

Legin76

Well-Known Member
Dec 11, 2007
173
2
68
I've updated openssl but even after a reboot, php info shows OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013 is this correct?


rpm -q --changelog openssl-1.0.1e|head
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

* Tue Jan 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.4
- fix CVE-2013-4353 - Invalid TLS handshake crash

* Mon Jan 06 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.3
- fix CVE-2013-6450 - possible MiTM attack on DTLS1

* Fri Dec 20 2013 Tomáš Mráz <[email protected]> 1.0.1e-16.2
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
I've updated openssl but even after a reboot, php info shows OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013 is this correct?
Yes, the output you provided indicates the patch has been applied:

- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
The RPM is patched, so you won't necessarily see a new version. Instead, you will see the CVE listed in the RPM change log.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Not working for me. Already tried whm > software > update system software and update server software. Both had no updates.

[email protected] [~]# rpm -qa |grep openssl
openssl-1.0.1e-16.el6_5.x86_64
openssl-devel-1.0.1e-16.el6_5.x86_64
Please run the following command:

Code:
rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
Look for output that indicates a patch for CVE-2014-0160 has been backported to determine if the RPM has been updated.

Thank you.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Why CPanel is using "mirrors.prometeus.net" as repository?
and why is not updated with latest patch?

Thanks,
Max
cPanel does not distribute OpenSSL packages. The OpenSSL packages and updates for them originate from your OS vendor and applicable YUM/RPM repositories. The mirror addresses may vary depending on your OS distribution and YUM configuration.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
so to confirm...

this means my system is NOT vulnerable?

[[email protected] ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

If I go to the heartbleed site it still says I am vulnerable.

Its very confusing!
Run this command:

Code:
rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
Look for output that indicates a patch for CVE-2014-0160 has been backported to determine if the RPM has been updated.

Thank you.
 

planetjoin

Well-Known Member
Oct 14, 2003
77
5
158
cPanel Access Level
Root Administrator
You can check exact version with:

Code:
rpm -qa |grep openssl
Answer for RHEL 6/Centos 6 should be:

Code:
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64
Hello :

if i check using the above command and i get exactly that answer.. that means my servers are OK and i not need any upgrade?

Thanks :)
Fabian
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Please see my previous post to this thread. While yes, newer versions should include the patch, you can verify this with a command such as:

Code:
rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
Thanks.
 

planetjoin

Well-Known Member
Oct 14, 2003
77
5
158
cPanel Access Level
Root Administrator
Hello Michael

one of my servers :

[~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

and :

[~]# rpm -q --changelog openssl | grep -B 1 CVE-2014-0160

nothing display after that command

also :

[~]# yum update openssl
Excluding Packages in global exclude list
Finished
Setting up Update Process
No Packages marked for Update

??

Fabian
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
one of my servers :

[~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
RHEL/CentOS 5 servers which are using the OpenSSL 0.9.8 RPM included in the official OS repositories are not vulnerable since they are using an older version of OpenSSL that never contained this vulnerability.
 

Squiz

Member
Oct 11, 2005
5
0
151
Is a graceful server reboot via WHM sufficient? I have done it and checked that the vulnerability is gone and it appears to have gone now. But is a graceful server reboot enough to restart all the effected services?

Also is there a list of vulnerable ports available that I can test?

Finally, after that is done I believe I still need to re-issue SSL certificates? Including service SSl certificates just to be safe?

Then once that is done finally change passwords?

Just want to be clear on this. Thanks
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Is a graceful server reboot via WHM sufficient? I have done it and checked that the vulnerability is gone and it appears to have gone now. But is a graceful server reboot enough to restart all the effected services?
Yes. A reboot is still a reboot, and in doing so restarts all services.

Also is there a list of vulnerable ports available that I can test?
A list of ports will vary based on what all you have running on your server; you can manually check via command-line which ports services are listening on and test those. Try lsof and netstat via CLI as root.
Code:
man lsof
man netstat
Finally, after that is done I believe I still need to re-issue SSL certificates? Including service SSl certificates just to be safe?

Then once that is done finally change passwords?

Just want to be clear on this. Thanks
Yes; I believe it is a very good idea to change passwords and create new keys to then re-issue SSL certificates.
 

adv

Registered
Apr 9, 2014
2
0
1
cPanel Access Level
DataCenter Provider
Before i read this thread i just grep the openssl 1.0.1g from openssl, compile it and install it
then i restart apache, it is working well now.
Although i know cpanel will not recommand this , as this can break things down, but it is hard for us to update cpanel anyway, as we have many customer on the server.