Loadbalancer.org releases patch for the Openssl heartbleed vulnerability CVE-2014-0160

 

Vulnerability Description

The bug is in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

For more details, please refer to: http://heartbleed.com/

 

1) Updating the Hardware & Virtual Appliance

 

Appliance Software Versions Affected:

v7.5, v7.5.1, v7.5.2, v7.5.3, v7.5.4

 

Hotfix Details:

The hotfix includes a recompiled version of OpenSSL with the compile option “-DOPENSSL_NO_HEARTBEATS” which mitigates the vulnerability. This approach enables us to release a patch more quickly than upgrading OpenSSL which would require Pound and STunnel to be rebuild and fully retested.  The hotfix files can be accessed at the following URL’s:

 

Archive file: http://downloads.loadbalancer.org/releases/hotfix/loadbalancer.org-patch-7.5_openssl1.0.1e-heartbeat.tar.gz

Checksum file: http://downloads.loadbalancer.org/releases/hotfix/loadbalancer.org-patch-7.5_openssl1.0.1e-heartbeat.tar.gz.md5

 

Applying the Hotfix (should ONLY be applied to versions listed above):

1) Download both files mentioned above

2) Open the WUI option: Maintenance > Software Update > Offline Update

3) Browse to and select the files

4) Click Upload and Install

5) Restart Pound and STunnel when convenient

 

NOTE: After applying the patch, the version of OpenSSL will remain the same but the compile date and options will be different as reported in the update confirmation message as shown below:

 

OpenSSL updated. Version: OpenSSL 1.0.1e 11 Feb 2013built on: Wed Apr 9 09:52:48 BST 2014platform: linux-x86_64options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_HEARTBEATS -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASMOPENSSLDIR: “/etc/pki/tls”

 

The version of OpenSSL can also be verified by running the command openssl version -a at the console, via an SSH session or using the WUI option: Local Configuration > Execute Shell Command as shown below:

 

[root@lbmaster ~]# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Wed Apr  9 09:52:48 BST 2014
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_HEARTBEATS -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/etc/pki/tls”

 

Regenerate Keys & Certificates:

To ensure complete protection all related SSL certificates should be regenerated using a new private key.

 

 

2) Updating the Amazon Ec2 Appliance

 

EC2 Appliance Software Versions Affected:

All versions

 

Updating the Software:

1) Start an SSH session – to do this please refer to page 29 in the EC2 Quickstart Guide

2) Run the following commands:

sudo yum update openssl

service pound restart

service httpd restart

 

Regenerate Keys & Certificates:

To ensure complete protection all related SSL certificates should be regenerated using a new private key.

 

 

For further information please contact Loadbalancer.org Support.

 

You Can Learn More About the LoadBalancer.org’s Product Line By Going to www.LoadBalancerSolutions.com/LoadBalancer-org

The original article/video can be found at Loadbalancer.org releases patch for the Openssl heartbleed vulnerability CVE-2014-0160

Leave a Reply