Most of the system administrators and developers are re-directed to fix the openssl’s most threatening bug which is named as heartbleed .Two years ago , openssl has added new extension called heartbeat. Heartbeat actually keep the session alive for a bit ,so that communication will not be broken.Where as in typical SSL, connection will be terminated immediately if the connection is inactive for a bit. Recently security team has discovered the issue with heartbeat extension. Using heartbeat protocol ,attackers can read the memory contents with the chunk of 64K . This information can be decrypt and they can read in text format. Assume if the server is using for credit card transactions and attackers can easily pull out all the details that they want by pulling number of 64k memory chunks.
Openssl 1.0.1 through 1.0.1f are vulnerable .(Refer http://heartbleed.com/)
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Heartbleed on Solaris :
Actually all the oracle solaris 10 operating systems are using the lower version( 0.9.7d, dated 17 March 2004) of openssl. We have installed 2014 OS cluster patch bundles on most of the solaris 10 systems and none of the system are upgraded to the newer version of openssl.So we no need to worry about this bug on solaris 10 servers.
Here is the command to check the openssl version.
# find / -name openssl /usr/bin/openssl # which openssl /usr/bin/openssl # /usr/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576 CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333) #
Even Solaris 11.1 is using Non- vulnerable version of openssl.
root@UA-SOL1~# /usr/bin/openssl version OpenSSL 1.0.0k 5 Feb 2013 root@UA-SOL1~# uname -a SunOS UA-SOL1 5.11 11.1 sun4v sparc sun4v root@UA-SOL1~#
As per oracle support document, Solaris 11.2 has detected heartbleed bug. To fix the issue on solaris 11.2 , you need to oracle support.
HeartBleed Redhat Linux:
The first heartbleed affected version of Redhat Linux is version 6.5 . Redat Linux 6.0 to redhat Linux 6.4 are unaffected.
As per redhat’s support documents , OpenSSL versions openssl-1.0.1e-15 through openssl-1.0.1e-16.[highlight]el6_5.4[/highlight] include a flawed libssl.so library vulnerable to the issue.Here is the redhat artcile for the same.
Use the below method to find the version of openssl .
[root@UA-LIN ~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 [root@UA-LIN ~]# rpm -q openssl openssl-1.0.1e-16.el6_5.4.x86_64
You can see the above version has the heartbleed bug since the openssl version is 1.0.1e and patch version is 5.4.
If you already registered the system with Redhat , you just update the openssl using yum to fix the issue.
# yum update openssl
If you want to download the fixed version of openssl, login to Redhat customer portal
1. Click this link and it will take to you the below page. Just enter the openssl and search it .
2.You may get the list software that contains openssl. Just click on openssl and you will get below screen to download it .
Download the rpm which ends with *_5.7.x86_64 for Redhat Linux 6.5 64 bit operating system.
3.Install the rpm using below command.
# yum update /var/tmp/openssl-1.0.1e-16.el6_5.7.x86_64.rpm
4.After the patching ,verify the new version using below command.
[root@UA-LIN ~]# rpm -q openssl openssl-1.0.1e-16.el6_5.7.x86_64
Now we have uprooted the heartbleed.
You can easily identify using below commands that what are the applications are using openssl.
[root@UA-LIN ~]# grep libssl.so.1.0.1e /proc/*/maps | cut -d/ -f3 | sort -u | xargs -r -- ps uf USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1276 0.0 0.0 80288 808 ? Ss Mar11 0:01 /usr/libexec/postfix/master uapostfix 1855 0.0 0.0 80532 604 ? S Mar11 0:00 \_ qmgr -l -t fifo -u uapostfix 2952 0.0 0.0 80288 1752 ? S 19:17 0:00 \_ pickup -l -t fifo -u [root@UA-LIN ~]# lsof | awk 'NR==1 || $0~/libssl.so.1.0.1e/' COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME masterua 1276 root DEL REG 253,1 266122 /usr/lib64/libssl.so.1.0.1e.#prelink#.lCBmW3 uaqmgr 1855 postfix DEL REG 253,1 266121 /usr/lib64/libssl.so.1.0.1e.#prelink#.lCBmW3 uapickup 2952 postfix mem REG 253,1 666060 234516 /usr/lib64/libssl.so.1.0.1e [root@UA-LIN ~]#
You need to restart the application that uses the openssl library . So better to halt the application before installing this patch.
Hope you article will help you to make your solaris and Linux environment from Heartbleed bug free.
Share it ! Comment it !! Be Sociable !!!
Leave a Reply