Heartbleed Bug Summary
A new bug in OpenSSL has been discovered that allows a remote attacker to access parts of memory on systems using vulnerable versions of OpenSSL (eg: HTTPS). This can allow an attacker to gain access to private keys, usernames, passwords and eavesdrop on encrypted traffic. For more information, see: http://heartbleed.com/
What versions of OpenSSL are affected?
OpenSSL 1.0.1 to 1.0.1f are affected. The vulnerability is patched in OpenSSL 1.0.1g; Most 6.x systems are vulnerable as they run OpenSSL 1.0.1e (openssl-1.0.1e-16.el6_5.4). If in doubt, check your OpenSSL package version with the following command:
rpm -qa openssl
Note: OpenSSL version openssl-1.0.1e-16.el6_5.7 includes the backported fix for this vulnerability.
How can I protect my CentOS system from this vulnerability?
An update has been released that patches this vulnerability in OpenSSL 1.0.1e; special thanks to the RHEL and CentOS team for releasing a patched version so quickly.
To update the OpenSSL packages on your system, run:
yum clean all && yum update "openssl*"
Take note and ensure that it’s specifically openssl-1.0.1e-16.el6_5.7 (or later) being installed.
Remediation/What else needs to be done after updating the OpenSSL packages?
After updating the packages, run the following command to see what processes still have the old, deleted OpenSSL libraries referenced:
lsof -n | grep ssl | grep DEL
You must restart each process that still has the old libraries open. Examples of processes that may still have the old libraries open:
Further to that, it is highly recommended to revoke and regenerate certificates and private keys, user passwords, etc that may have been breached by this vulnerability.