How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-0160) and how to fix that

A severe vulnerability in OpenSSL has been found, the vulnerability is named Heartbleed and affects the heartbeat implementation in OpenSSL version 1.0.1 up to version 1.0.1f. This vulnerability can be used to get the private key of an SSL connection, so it is important to update the server immediately. The bug is fixed in OpenSSL 1.0.1g. All Major Linux Distributions have released updates to the vulnerability.

Find out if your server is affected

Run the command:

openssl version

to get the version number of OpenSSL. If the command shows e.g.:

openssl version
OpenSSL 1.0.1e 11 Feb 2013

then your server might be vulnerable as the version is below 1.0.1g. But some Linux distributions patch packages, see below for instructions to find out if the package on your server has been patched.

If your server uses a 0.9.8 release like it is used on Debian squeeze, then the server is not vulnerable as the heartbeat function has been implemented in OpenSSL 1.0.1 and later versions only.

openssl version
OpenSSL 0.9.8o 01 Jun 2010

Fix the vulnerability

To fix the vulnerability, install the latest updates for your server.

Debian

apt-get update
apt-get upgrade

Ubuntu

apt-get update
apt-get upgrade

Fedora and CentOS

yum update

OpenSuSE

zypper update

Then restart all services that use OpenSSL. On an ISPConfig 3 server, restart e.g. these services (when they are installed): sshd, apache, Nginx, postfix, dovecot, courier, pure-ftpd, bind and MySQL. If you want to be absolutely sure that you did not miss a service, then restart the whole server by running "reboot" on the shell.

Check if the Linux update installed the correct package

After you installed the Linux updates, check if the openssl package has been upgraded correctly. Some Linux distributions
patch packages, so "openssl version" does not always show whether the correct patch that fixes the vulnerability has been installed.

Check the package on Debian and Ubuntu:

dpkg-query -l 'openssl'

Here the output for a correctly patched Debian 7 (Wheezy) server:

dpkg-query -l 'openssl'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                Version         Architecture   Description
+++-===================-===============-==============-============================================
ii  openssl             1.0.1e-2+deb7u5 amd64          Secure Socket Layer (SSL) binary and related

For Fedora and CentOS, use this command to find the installed package name:

rpm -qa | grep openssl

Here are the links with the release notes that contain the package names of the fixed versions:

Debian: http://www.debian.org/security/2014/dsa-2896
Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
Fedora: https://lists.fedoraproject.org/pipermail/announce/2014-April/003206.html
CentOS: http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

As an alternative, install the latest OpenSSL from source.

 Test

There is now a test available to verify if you successfully closed the security hole in your Server. The test can be found here:

http://filippo.io/Heartbleed/

 Q&A on this Topic in the howtoforge forum

Questions and answers on this topic in the howtoforge forum:

https://www.howtoforge.com/forums/showthread.php?t=65498

 

Share this page:

Suggested articles

8 Comment(s)

Add comment

Comments

By:
Reply  

You don't always get the real version with "openssl version".

Try "apt-cache policy openssl".

By:
Reply  

openssl 1.0.1e in centos has been fixed.

The only thing you have to do is: yum update

It will automatically download and update a backported version of openssl-1.0.1e-16.el6_5.7 which has been patched by RedHat with heartbeat disabled.

To verify the update, check the changelog:

# rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160

you should see the following:

* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

By: Anonymous-kjakich
Reply  

Hey, Thanks for that. It worked! 

By: Nico
Reply  

Can you hgelp me with this i'm on centos as well i did yum update and restarted the server yet the latest update is: 

 * Tue Jan 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.4
- fix CVE-2013-4353 - Invalid TLS handshake crash


 

By: Anonymous
Reply  

>>> Run the command: openssl version to get the version number of openssh. <<< No, this will get you the vn of openssl. Don't drag OpenSSH into this, OpenSSH is not affected.

By:
Reply  

Thanks for pointing out this typo. I corrected it in the tutorial.

By:
Reply  

Hello,

I think that if you have a server up and running  (in my case Ubuntu 12.04) apt-get update && apt-get upgrade is not the best way since you have other services that is a little dangerous to update.

You can  only apt-get update &&apt-get install openssl libssl1.0.0

Don't forget to restart server. This worked fine for me!

By:
Reply  

Please be aware that this fixes the openssl issue but leaves other issues open. So better check if you can not install all pending security updates. If your server is eetup correctly, then ubuntu maintennace and security updates should not cause any problems.