Server Security

Patching the Heartbleed Bug in OpenSSL

by Bill Brooks  • 

Recently, a vulnerability was announced with OpenSSL based on a bug called Heartbleed:

“This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”

 – heartbleed.com

This vulnerability impacts OpenSSL versions 1.0.1 and 1.0.2-beta. ServInt customers may have this vulnerability if they are running CentOS 6. CentOS 4 and 5 do not have versions impacted by the Heartbleed vulnerability.

You can check if you are vulnerable by visiting http://filippo.io/Heartbleed/ or by running the this command via SSH:

rpm --changelog -q openssl |grep CVE-2014-0160

If there is no output that means your version of openssl is vulnerable. If there is output it means that your version of OpenSSL has been patched. If OpenSSL is vulnerable on your server, you’re in luck, there is a patch. If you are using WHM/cPanel you can run an update by:

  1. WHM »cPanel »Upgrade to Latest Version
  2. WHM »Restart Services »HTTP Server (Apache)
  3. Click the “Force a reinstall even if the system is up to date.”

If you are not WHM/cPanel, you can run:

yum update -y openssl
/etc/init.d/httpd restart

After you have updated the software, you can run the rpm command or visit the site again to see the updated results.

If you have any issues please feel free to open a support ticket in your ServInt customer portal.

Find out more about ServInt solutions

Starting at $69

Comments
  1. /$ rpm --changelog -q openssl |grep CVE-2014-0160 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension I followed the tip above that you posted on Plesk and it work great.
    Steve Pringle /
  2. Is your server vulnerable from the #Heartbleed bug? Find out - and fix it! - in this week's #TechBench. http://t.co/WdHysF0HGo
  3. According to the above checks, my VPS was patched automatically, which is obviously good. But you make no mention of what damage might have occurred prior to the patch, or how to fix that. Given that many of your servers were definitely vulnerable to this problem, is this not a major concern even on patched systems?
  4. my current understanding: Minimum steps: • Apply vendor patch for OpenSSL on the server itself [ • Restart Apache and other server processes optional steps: • Generate new SSL key. • Generate a CSR based on the new key. • Reissue your certificate using the new CSR. • Install the new certificate on your services. • Revoke old certificate.
    Ari Salomon /
  5. On our network, this vulnerability only affects those with CentOS 6 servers. You are not affected if you are on CentOS 5 or below.
  6. Patching the Heartbleed Bug in OpenSSL http://t.co/CpfLu589VG #heartbleed
    davidciamarro /
  7. RT @servint: Learn how to protect yourself from the #Heartbleed bug in #OpenSSL. http://t.co/WdHysF0HGo
  8. Learn how to protect yourself from the #Heartbleed bug in #OpenSSL. http://t.co/WdHysF0HGo
  9. Nevermind; my server is apparently running OpenSSL 0.9.8e, which is apparently not vulnerable
  10. I followed the WHM/Cpanel instructions, and the command provided still returns nothing after completing them. What am I missing?
  11. Understanging the #Heartbleed bug in #OpenSSL and how to patch it in this week's #TechBench. http://t.co/WdHysF0HGo
  12. Dave - this is actually a RedHat/CentOS package, and not something directly released by cPanel. cPanel does, however, ensure that core RPMs are up to date. Especially RPMs that cPanel uses directly for their software. It might not have happened last night, but the next time a cPanel update is run, the 'openssl' RPM will be updated. We have confirmed this on our end. cPanel might release a check or notification about this vulnerability in a future version of their software, but the best way to ensure you have a patched copy of OpenSSL is via the 'rpm' command mentioned in this blog post.
  13. Thanks for the simple instructions for testing for the bug and for upgrading cPanel. cPanel's April 7 - 11.42.1.5 update that was installed on our server automatically last night did NOT include the update. I followed your instructions and as promised there is a newer update today that does include the CVE-2014-0160 fix. For anyone reading this after April 8, if your cPanel change log includes a newer version than 11.42.1.5 you're probably OK.
    Dave Simmons /
  14. RT @servint: Is your server vulnerable from the #Heartbleed bug? Find out - and fix it! - in this week's #TechBench. http://t.co/WdHysF0HGo
Start the conversation

Bill Brooks

Bill Brooks

Escalated Technician, ServInt

Bill Brooks is an Escalated Technician and the Continuing Education Facilitator for ServInt’s Managed Services Team. He is a life-long tech enthusiast and enjoys music, video games and hockey on the side.

  • The New York Times
  • The Hill
  • Bloomberg
  • The Seattle Times
  • Computer World
  • Ars Technica
  • MSNBC