CRITICAL OpenSSL Vulnerability “Heartbleed” in OpenSSL 1.0.1 to 1.0.1f – How to patch this bug on your CentOS system

Heartbleed Bug Summary

A new bug in OpenSSL has been discovered that allows a remote attacker to access parts of memory on systems using vulnerable versions of OpenSSL (eg: HTTPS). This can allow an attacker to gain access to private keys, usernames, passwords and eavesdrop on encrypted traffic. For more information, see: http://heartbleed.com/

What versions of OpenSSL are affected?

OpenSSL 1.0.1 to 1.0.1f are affected. The vulnerability is patched in OpenSSL 1.0.1g; Most 6.x systems are vulnerable as they run OpenSSL 1.0.1e (openssl-1.0.1e-16.el6_5.4). If in doubt, check your OpenSSL package version with the following command:

rpm -qa openssl

Note: OpenSSL version openssl-1.0.1e-16.el6_5.7 includes the backported fix for this vulnerability.

How can I protect my CentOS system from this vulnerability?

An update has been released that patches this vulnerability in OpenSSL 1.0.1e; special thanks to the RHEL and CentOS team for releasing a patched version so quickly.

To update the OpenSSL packages on your system, run:

yum clean all && yum update "openssl*"

Take note and ensure that it’s specifically openssl-1.0.1e-16.el6_5.7 (or later) being installed.

Remediation/What else needs to be done after updating the OpenSSL packages?

After updating the packages, run the following command to see what processes still have the old, deleted OpenSSL libraries referenced:

lsof -n | grep ssl | grep DEL

You must restart each process that still has the old libraries open. Examples of processes that may still have the old libraries open:

  • mysql
  • postfix
  • webmin
  • openvpn
  • osad
  • nrpe

Further to that, it is highly recommended to revoke and regenerate certificates and private keys, user passwords, etc that may have been breached by this vulnerability.

How can I check if my HTTPS site is still vulnerable?

You can use http://filippo.io/Heartbleed/ to test if your HTTPS site is vulnerable (thanks to Filipo).

Scan to Donate Bitcoin to Curtis K
Did you like this?
Tip Curtis K with Bitcoin
Share This Post

About Author: Curtis K

Hi! My name is Curtis, and I am the author of CentOS Blog. Please feel free to comment with any suggestions, feedback or questions!