Heartbleed SSL Vulnerability

Home > Heartbleed SSL Vulnerability
Posted by on April 23, 2014 in , |

As you may all be aware by now recently a vulnerability was found relating to SSL encryption on systems running the OpenSSL module, more information on this can be found at http://heartbleed.com.

Additionally you can check whether you are vulnerable using GlobalSign’s SSL checker https://sslcheck.globalsign.com/en_GB.

This vulnerability only affects Web Servers running Apache and others using the vulnerable version of this module.  You will be pleased to know all our shared servers have been patched and SSL Certificates Republished when the issue was first announced.

All VPS, Hybrid Server and dedicated server customers should check if they are affected

Windows servers – Review any applications that have been installed as they may be bundled with OpenSSL libraries. (Our standard build has no vulnerable applications installed).

Linux servers – Inspect the installed OpenSSL library.  The OpenSSL version can be viewed via the command line with the following command: openssl version-a

Centos users can check the “built on:” date is on or after April 8 2014 for confirmation they are running a patched version.

However this is not meaningful alone, since the distributions do not necessarily adjust the version number of the update and you will have to double check the installed package via other means if a vulnerable version is displayed.

Vulnerable systems if unpatched: CentOS-6, Debian-7, Fedora, Ubuntu, FreeBSD
Not vulnerable systems: CentOS-5, Debian-6, Suse-11, Windows Server

For clarity here is a list of OpenSSL branches:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
    • Centos6 – Openssl-1.0.1e-15  is vulnerable
    • Centos6 – Openssl-1.0.1e-16.el6_5.4 is vulnerable
    • Centos6 – Openssl-1.0.1e-16.el6_5.7  is NOT vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

If you are running a vulnerable OpenSSL version then we recommend that you patch your servers and restart any services utilising OpenSSL libraries.

For most distributions of Linux security updates are already available:

  • Debian / Ubuntu: apt-get update; apt-get -y install openssl libssl1.0.0
  • Fedora / CentOS: yum -y update openssl