Heartbleed vulnerability in OpenSSL

This Heartbleed vulnerability allows an attacker to read 64 kilobyte chunks of memory from the servers and clients that connect using SSL through a flaw in the OpenSSL’s implementation of the heartbeat extension.

cPanel & WHM does not provide any copies of the OpenSSL library. The daemons and applications shipped with cPanel & WHM link to the version of OpenSSL provided by the core operating system.

RedHat 6, CentOS 6, and CloudLinux 6 provided vulnerable versions of OpenSSL 1.0.1. All three distros have published patched versions of their OpenSSL 1.0.1 RPMs to their mirrors.

How to fix this Heartbleed vulnerability?

 

To update any affected servers, use the following commands.

1. SSH to your server

2. yum update openssl

3. /scripts/upcp —force

4. /etc/init.d/cpanel restart

5.  stop apache with the command:

service httpd stop

6.  kill any remaining apache processes

7.  start apache with command:

service httpd start

8.  Please test your server at http://filippo.io/Heartbleed/ to confirm the server is patched.

9.  If your server still shows vulnerable still after step #8 we have found it is necessary to recompile apache.  Recompile apache and run step #8 again.

Also you can ensure you are updated by running the following command:

rpm -q –changelog openssl | grep -B 1 CVE-2014-0160
* Mon Apr 07 2014 Tomáš Mráz 1.0.1e-16.7
- fix CVE-2014-0160 – information disclosure in TLS heartbeat extension

 

Once the RPM of OpenSSL has been updated you should reset all certificates via the Manage Service SSL Certificates interface in WHM.

Home » Service Configuration » Manage Service SSL Certificates

You will need to click the ‘Reset Certificate’ link for each service: FTP, Exim, cPanel/WHM/Webmail Service, and Dovecot or Courier Mail Server.

You should also check the SSL certificates in the Manage SSL Hosts interface of WHM.

Home » SSL/TLS » Manage SSL Hosts

Many Certificate Authorities are helping their customers regenerate SSL certificates at no cost to fix Heartbleed vulnerability in OpenSSL.

This may vary and your Certificate Authority should be contacted prior to any actions to ensure the proper procedures are followed.
It is recommended that you regenerate all SSH keys and reset all passwords across the server.

¿Fue útil la respuesta?

0 Los Usuarios han Encontrado Esto Útil