CRITICAL OpenSSL Vulnerability “Heartbleed” in OpenSSL 1.0.1 to 1.0.1f – How to patch this bug on your CentOS system

Heartbleed Bug Summary

A new bug in OpenSSL has been discovered that allows a remote attacker to access parts of memory on systems using vulnerable versions of OpenSSL (eg: HTTPS). This can allow an attacker to gain access to private keys, usernames, passwords and eavesdrop on encrypted traffic. For more information, see: http://heartbleed.com/

What versions of OpenSSL are affected?

OpenSSL 1.0.1 to 1.0.1f are affected. The vulnerability is patched in OpenSSL 1.0.1g; Most 6.x systems are vulnerable as they run OpenSSL 1.0.1e (openssl-1.0.1e-16.el6_5.4). If in doubt, check your OpenSSL package version with the following command:

rpm -qa openssl

Note: OpenSSL version openssl-1.0.1e-16.el6_5.7 includes the backported fix for this vulnerability.

How can I protect my CentOS system from this vulnerability?

An update has been released that patches this vulnerability in OpenSSL 1.0.1e; special thanks to the RHEL and CentOS team for releasing a patched version so quickly.

To update the OpenSSL packages on your system, run:

yum clean all && yum update "openssl*"

Take note and ensure that it’s specifically openssl-1.0.1e-16.el6_5.7 (or later) being installed.

Remediation/What else needs to be done after updating the OpenSSL packages?

After updating the packages, run the following command to see what processes still have the old, deleted OpenSSL libraries referenced:

lsof -n | grep ssl | grep DEL

You must restart each process that still has the old libraries open. Examples of processes that may still have the old libraries open:

  • mysql
  • postfix
  • webmin
  • openvpn
  • osad
  • nrpe

Further to that, it is highly recommended to revoke and regenerate certificates and private keys, user passwords, etc that may have been breached by this vulnerability.

How can I check if my HTTPS site is still vulnerable?

You can use http://filippo.io/Heartbleed/ to test if your HTTPS site is vulnerable (thanks to Filipo).

Scan to Donate Bitcoin
Like this? Donate Bitcoin to at:
Bitcoin 13KzxfEoFPzt5ccoQvSkUEytTgQV8JN5ej
Donate
Share This Post

About Author: Curtis K

Hi! My name is Curtis, and I am the creator of CentOS Blog. Please feel free to comment any suggestions, feedback or questions on my posts!

  • I read everywhere that only Centos 6.5 is vulnerable to the Heartbleed-Bug – but I just looked on our Centos 6.3 Servers – and they all have openssl 1.0.1e 16.el6_5 which seems also to be vulnerable? (Did Filipo’s Tests – and it showed the Site as vulnerable)
    According to this also older Centos Versions are vulnerable … Do I miss something?!?
    Andreas Schnederle-Wagner

    • boece

      I read likewise. “Only 6.5” – yet that is apparently untrue. I’ve got several 6.4-based VMs running out in the wild that I’ve had to remediate.

      In short – when in doubt check it out.

      • centosblog

        Hey guys, apologies – should’ve worded it better. I’ve updated the article now – should state that any version of OpenSSL 1.0.1 – 1.0.1f prior to openssl-1.0.1e-16.el6_5.7 is vulnerable.

    • Curtis K

      Hey guys, apologies – should’ve worded it better. I’ve updated the article now – should state that any version of OpenSSL 1.0.1 – 1.0.1f prior to openssl-1.0.1e-16.el6_5.7 is vulnerable.

  • BerkeleyCitizen

    Tried this exact process and myserver#openssl version still returns: OpenSSL 1.0.1e-fips 11 Feb 2013.

    I even restarted. What gives?

    • centosblog

      Hi BerkeleyCitizen, if you’re using that command to check the version, it would be better to use “openssl version -a” – if thie build date is after April 8, then your version of OpenSSL is safe.

  • Pingback: Cara update bug Heartbleed pada OpenSSL menggunakan yum | MyBB Indonesia - Berbagi ilmu tentang MyBB()

  • Pingback: Cara Update OpenSSL via Yum (The Heartbleed Bug) | Blog Qadrian()

  • Pingback: Just patched CentOS to close Heartbleed vulnerability | This Place of Mine()

  • Pingback: Cara update bug Heartbleed pada OpenSSL menggunakan yum | Ambrizals Officials Blog()