A critical security advisory was issued for OpenSSL versions starting at 1.0.1 up to and including 1.0.1f. This vulnerability permits an attacker to remotely read the contents of memory on the server which could include the SSL private keys, usernames, passwords, etc. Basically, worst-case scenario.
Take immediate action and apply the appropriate updates to any web servers you may have using the OpenSSL libraries. This will typically include any Linux systems running the Apache web server.
NOTE: Windows servers running IIS are not known to be vulnerable at this time.
OpenSSL 1.0.1g has been released to fix the issue, known as the “Heartbleed Bug.” The common Linux distributions are releasing updates to fix the vulnerability. If one is not yet available for your OS, continue to check frequently with your vendor.
The quickest way to determine which version of OpenSSL you are using is to run the following in a terminal window:
>>openssl version
For a vulnerable system, this will return a version of 1.0.1f (or anything but 'g').
Due to the severity of the bug, you should revoke and reissue all existing SSL certificates on vulnerable web servers using a new private key after you have updated your system.
UPDATES:
Servers running Ubuntu will not show the correct version response from the command above. "openssl version" will continue to respond with "1.0.1". The bug fix for Ubuntu serbers is included in version 1.0.1-4ubuntu5.12 on those systems.
Those using any Cisco products in there infrastructure should check out:
http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20140409-heartbleed.html
No comments:
Post a Comment