How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-0160) and how to fix that
Author: Till Brehm <t [dot] brehm [at] howtoforge [dot] com>
Follow Howtoforge on Twitter
A severe vulnerability in OpenSSL has been found, the vulnerability is named Heartbleed and affects the heartbeat implementation in Openssl version 1.0.1 up to version 1.0.1f. This velnerability can be used to get the private key of a SSL connection, so it is important to update the server immediately. The bug is fixed in OpenSSL 1.0.1g. All Major Linux Distributions have release updates to the vulnerability.
Find out if your server is affected
Run the command:
to get the version number of openssl. If the command shows e.g.:
OpenSSL 1.0.1e 11 Feb 2013
then your server might be vulnerable as the version is below 1.0.1g. But some Linux distributions patch packages, see below for instructions to find out if the package on your server has been patched.
If your server uses a 0.9.8 release like it is used on Debian squeeze, then the server is not vulnerable as the heartbeat function has been implemented in OpenSSL 1.0.1 and later versions only.
OpenSSL 0.9.8o 01 Jun 2010
Fix the vulnerability
To fix the vulnerability, install the latest updates for your server.
Fedora and CentOS
Then restart all services that use OpenSSL. On a ISPConfig 3 server, restart e.g. these services (when they are installed): sshd, apache, nginx, postfix, dovecot, courier, pure-ftpd, bind and mysql. If you want to be absolutely sure that you did not miss a service, then restart the whole server by running "reboot" on the shell.
Check if the Linux update installed the correct package
After you installed the Linux updates, check if the openssl package has been upgraded correctly. Some Linux distributions
patch packages, so "openssl version" does not always show whether the correct patch that fixes the vulnerability has been installed.
Check the package on Debian and Ubuntu:
dpkg-query -l 'openssl'
Here the output for a correctly patched Debian 7 (Wheezy) server:
dpkg-query -l 'openssl'
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
ii openssl 1.0.1e-2+deb7u5 amd64 Secure Socket Layer (SSL) binary and related
For Fedora and CentOS, use this command to find the installed package name:
rpm -qa | grep openssl
Here are the links with the release notes that contain the package names of the fixed versions:
There is now a test available to verify if you successfully closed the security hole in your Server. The test can be found here:
Q&A on this Topic in the howtoforge forum
Questions and answers on this topic in the howtoforge forum: