Patching The Heartbleed OpenSSL Vulnerability

Security Researchers have discovered a very serious vulnerability in the OpenSSL library that is used to power HTTPS on most websites. Many news sources are now covering the story, and we recommend reading their articles to understand the scope of what is happening and the impact of the threat:

To summarize: It is big.
It allows an attacker to extract information that was supposed to be private, including SSL private keys themselves. ArsTechnica explains it well:

The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there’s no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.

The Tor team summarizes their recommendation by saying, “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”.

What Should I Do as a Webmaster?

If you own a website, you must do your part and patch your operating system. If it is a dedicated server, it is your responsibility. If you are on a shared hosting platform, contact your hosting provider to remind them to update their servers. To update your server with the patch follow these step by step directions:

  1. Check if your site is vulnerable We first recommend that you check your site on this page to see if it is vulnerable. If it is, keep reading to see what you need to do.
  2. Patch your server. We included steps for various server OS:
    • Patching Ubuntu/Debian dedicated servers If you run Ubuntu or Debian on a VPS or dedicated server, you will likely need to patch it yourself. A quick way to do that is by updating all packages on your operating system with the following command:

      sudo apt-get update
      sudo apt-get upgrade

      Then restart Apache.

    • Patching RedHat/CentOS/Fedora and most cPanel dedicated servers If you run any RedHat-based server, you can patch your server by running:

      yum update

      Once all packages are updated, you should see inside /var/log/yum.log that OpenSSL was fixed:

      # tail /var/log/yum.log |grep ssl
      Apr 08 03:49:26 Updated: openssl-1.0.1e-16.el6_5.7.x86_64
      Apr 08 03:49:27 Updated: openssl-devel-1.0.1e-16.el6_5.7.x86_64

      Once that is done, you need to restart Apache for the fix to take effect.

    • Other servers: If you are on a shared host, you can’t do anything. You’ll need to contact your hosting company and wait for them to run the patch for you.

      If you are using any other Linux (or BSD) distribution on a dedicated server, you need to follow their steps to update OpenSSL.

    • Restart Apache Do not forget to restart Apache (or Nginx). We are seeing many patched servers still vulnerable because they forgot this simple step.
  3. Generate new certificates: This vulnerability was just disclosed a day ago, but it is possible that a malicious party has known about it for longer than that. If you run a popular web site or take confidential information, you might want to generate new certificates and encryption keys just to be on the safe side.
CloudProxy Users Protected

If your site is behind our web site firewall, you are already protected against this and any exterior threat. Anyone can sign up for it, regardless of host or CMS and get their sites protected in just a few minutes.

  1. Thanks for spreading the wotd Daniel
    I’ve just contacted my hosting provider and I’ll send him a link to this post.

    I’d love to go with the Cloudproxy for 8 of my sites, are you doing any deals?
    If you aren’t, now might be a good time to think about it.

  2. Hi Daniel. I’m not sure how Cloudproxy could protect against such an attack. In fact, it would probably make it worse as the memory leak will affect all customers using that host. Can you please explain how you think Cloudproxy would protect customers against this vulnerability? If your running the vuln openssl, your owned – no WAF is going to save you.

Comments are closed.

You May Also Like