Saturday, April 12, 2014

Patching Openssl "heartbleed" vulnerability

The correct way to patch your server will be to follow your OS vendor's recommendations. First determine the version of openssl installed:

$openssl version -a
OpenSSL 1.0.0-fips 29 Mar 2010
built on: Mon Oct 31 10:18:42 EDT 2011
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DL
FCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4
 -m64 -mtune=generic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOP
ENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHI
RLPOOL_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  aesni dynamic

If you are on versions below 1.0.1 or if you had compiled openssl with -DOPENSSL_NO_HEARTBEATS then you are not exposed to the vulnerability. If you determined that you have openssl 1.0.1e or 1.0.2, then you will need to patch the openssl library. You can use the package manager to update the openssl such as

$sudo yum update -y openssl

After you finish update, you can run "openssl version -a" again to see if "built on:" date is now showing "April 7th", which means you are using the latest version of 1.0.1 branch. Additionally, you can check the package that provides libssl.so.* (/usr/lib64) using rpm query

$rpm -q --provides openssl |grep libssl
libssl.so.10()(64bit)
libssl.so.10(OPENSSL_1.0.1)(64bit)
libssl.so.10(OPENSSL_1.0.1_EC)(64bit)
libssl.so.10(libssl.so.10)(64bit)

you can also determine what other packages depend on this openssl library by running the below query

$rpm -q --whatrequires 'libssl.so.10()(64bit)'
sendmail-8.14.4-8.12.amzn1.x86_64
libssh2-1.4.2-1.10.amzn1.x86_64
m2crypto-0.20.2-9.10.amzn1.x86_64
wget-1.14-8.11.amzn1.x86_64
httpd-tools-2.2.26-1.1.amzn1.x86_64
openssl-1.0.1e-37.66.amzn1.x86_64
python26-2.6.9-1.46.amzn1.x86_64
mysql55-libs-5.5.36-1.44.amzn1.x86_64
mysql51-libs-5.1.73-3.69.amzn1.x86_64
php-cli-5.3.28-1.5.amzn1.x86_64
mysql51-5.1.73-3.69.amzn1.x86_64
perl-Net-SSLeay-1.55-1.8.amzn1.x86_64
ruby18-libs-1.8.7.374-2.42.3.amzn1.x86_64
perl-DBD-MySQL-4.023-2.16.amzn1.x86_64
mysql51-server-5.1.73-3.69.amzn1.x86_64
php-5.3.28-1.5.amzn1.x86_64
php-mysql-5.3.28-1.5.amzn1.x86_64

Now you can determine what packages need restart after updating the openssl library by running the below commands:

$sudo lsof | grep libssl.so | grep '\<DEL\>'

OR

$sudo grep libssl.so /proc/*/maps | grep '(deleted)$' | cut -d/ -f3 | sort -u | xargs -r -- ps u

If the above doesn't return any results, then no service needs restart, else if you have services like "postfix" or "httpd", you can restart them by

$sudo service postfix restart
$sudo service httpd restart

No comments:

Post a Comment