Critical Update of OpenSSL!

ssl_block_1The OpenSSL Project staff released security bulletin CVE-2014-0160, which reported on a critical vulnerability in the popular cryptographic library OpenSSL. Status of differentversions:

  • OpenSSL 1.0.1 and upgraded to 1.0.1f (inclusive) are vulnerable;
  • OpenSSL 1.0.1g Corrected version that needs to be installed;

  • OpenSSL 1.0.0is notvulnerable;
  • OpenSSL 0.9.8is notvulnerable.

Bug was introduced to OpenSSL in December 2011 and has been out since OpenSSL release 1.0.1 on 14th of March 2012.OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug. Vulnerable versions were available for two years, and were widely used by modern operating systems. The main factor in the spread of the vulnerability is that TLS 1.1 and 1.2 first appeared in a vulnerable version of OpenSSL (1.0.1) and the recommendations made by the security experts focused on rapid deployment of the protocol TLS 1.2 in connection with the previously known attacks on TLS (known as BEAST). Vulnerable version of OpenSSL is used in popular Web servers Nginx and Apache, mail servers, IM- servers, VPN, as well as many other programs. Some operating systems distributions with potentially vulnerable OpenSSL version:

  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4;
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11;
  • CentOS 6.5, OpenSSL 1.0.1e-15;
  • Fedora 18, OpenSSL 1.0.1e-4;
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012);
  • FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c);
  • NetBSD 5.0.2 (OpenSSL 1.0.1e);
  • OpenSUSE 12.2 (OpenSSL 1.0.1c).

Operating system distribution with versions that are not vulnerable:

  • Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
  • SUSE Linux Enterprise Server

The bug is present in OpenSSL versions 1.0.1 and 1.0.2-beta releases, including 1.0.1f and 1.0.2-beta1. The fixed version 1.0.1g needs to be installed by the affected users immediately, new keys and certificates need to be generated, and other safety measures taken. Users should be warned about possible password breach. In case upgrade can’t be done immediately, users can recompile OpenSSL with DOPENSSL_NO_HEARTBEATS. You can test your website for vulnerability using filippo.io/Heartbleed/ All Major Linux Distributions have the necessary openssl release updates. To upgrade CentOS 6, you must run:

yum clean all
yum update openssl

To install an update to Debian 7 / Ubuntu 12.04, you must run:

apt-get update
apt-get install --only-upgrade openssl  
apt-get install --only-upgrade libssl1.0.0

After the upgrade you need to restart the services that use this library. For example::

service nginx restart

or

service httpd restart

for Ubuntu, Debian:

service apache2 restart

Important:

Updates have already been made on the clients that are utilizing the constant administration service, so they do not have to worry about anything. For everyone else, we strongly recommend to update the library, or contact us for help via the ticketing system. The cost of renovation is 9 euros.