News: OpenSSL Vulnerability Security Alert - 10/04/2014
Dear Customer,
OpenSSL released a security report on 9 April 2014 that there is a vulnerability with OpenSSL.
“There was a devastating security flaw in the OpenSSL implementation of the SSL / TLS protocol (CVE-2014-0160), known as the heartbleed vulnerability. The heartbleed is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.”
For more information, you may refer to heartbleed.com.
For our shared hosting servers we are currently patching up our server which customer does not have to do anything.
For VPS/Dedicated/Co-location customer, please take action to patch up your server. If you are not sure if your server is affected by this bug, there are two methods to check.
The first method would be use this link > https://www.ssllabs.com/ssltest/
The second method would be:
- SSH into your server
- Run the following command: “openssl version -a” (without quotes)
- If the result shows “OpenSSL 1.0.1e 11 Feb 2013” and a Build earlier than 8th April 2014, then your server might be vulnerable.
To fix the vulnerability, kindly run the command “yum update” and install the fix.
If you have cPanel installed, the latest version for OpenSSL is 1.0.1e with Build 8th April 2014.
Once you have installed the fix, kindly do a reboot on the server.
Regards,
Edward Ho
Server Security Team
MangoXchange.com