How to identify OpenSSL Heartbleed Bug on your cloud server and how to fix it?

/0 Comments/in /by

Heartbleed Bug is serious vulnerability in the OpenSSL package. The HeartBleed exploit for OpenSSL only affects version 1.0.1 – 1.0.1f and 1.0.2-beta1 not patched before April 7 2014. For OpenSSL 1.0.1 the OS vendors have released official patches for this particular issue in their respected Repos so you will need to to update your OpenSSL package to the current release then you will need to restart your services that require OpenSSL such as the Apache Web server or Nginx but a full reboot of your server may be more beneficial as all of your services will be restarted.

For OpenSSL 1.0.2beta, this will be fixed in 1.0.2-beta2.

Testing:
To see the version of OpenSSL installed on your server please try the following commands from SSH:
# openssl version
# yum list installed | grep openssl
# rpm -qa | grep openssl
# dpkg –get-selections | grep openssl

 

Resolution:
The following commands will need to be ran from SSH while logged in as the Root user:
——-RHEL based OS(Redhat, Centos):
# yum clean all
# yum update openssl
# /etc/init.d/httpd stop
# /etc/init.d/httpd start
If using Nginx also use the following to restart the service:
# /etc/init.d/nginx restart
If you are using Plesk then also restart the Plesk control panel service:
# /etc/init.d/sw-cp-server restart

 

Then use the following command to see if any process are still using the old version. If there are any displayed then you will need to restart those services as necessary:
# lsof -n | grep ssl | grep -i del
-The current releases that have the issue corrected are as follows:
Centos/RedHat
64bit:
openssl-1.0.1e-16.el6_5.7.x86_64.rpm
Centos/Redhat
32bit:
openssl-1.0.1e-16.el6_5.7.i686.rpm

———

For Debian Based OS(Debian, Ubuntu):
# apt-get update
# apt-get install openssl
# /etc/init.d/apache2 stop
# /etc/init.d/apache2 start

If using Nginx also use the following to restart the service:
# /etc/init.d/nginx restart

If you are using Plesk then also restart the Plesk control panel service:
# /etc/init.d/sw-cp-server restart

Then use the following command to see if any process are still using the old version. If there are any displayed then you will need to restart those services as necessary:
# lsof -n | grep ssl | grep -i del
-The current releases that have the issue corrected are as follows:
Ubuntu 13.10: “openssl” 1.0.1e-3ubuntu1.2
Ubuntu 12.10: “openssl” – 1.0.1c-3ubuntu2.7
Ubuntu 12.04 LTS: “openssl” – 1.0.1-4ubuntu5.12
Debian (wheezy): “openssl” – 1.0.1e-2+deb7u5
——-
Alternatively, you can also download OpenSSL 1.0.1g available from their official website https://www.openssl.org/ and compile it on to your server as the issue is also corrected in this version.
If you are unable to update to the latest version of OpenSSL you can also recompile your current version of OpenSSL with the -DOPENSSL_NO_HEARTBEATS option to disable the “Heartbeats”
option.