Site icon UnixArena

Openssl Heartbleed bug on Solaris and Linux

Cloud_Devops

Most of the system administrators and developers are re-directed to fix the openssl’s most threatening bug which is named as heartbleed .Two years ago , openssl has added new extension called heartbeat. Heartbeat actually keep the session alive for a bit ,so that communication will not be broken.Where as in typical SSL, connection will be terminated immediately if the connection is inactive for a bit. Recently security team has discovered the issue with heartbeat extension. Using heartbeat protocol ,attackers can read the  memory contents with the chunk of 64K  . This information can be decrypt and they can read in text format. Assume if the server is using for credit card transactions and attackers can easily pull out all the details that they want by pulling number of 64k memory chunks.

Openssl 1.0.1 through 1.0.1f are vulnerable .(Refer http://heartbleed.com/)

  1. OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  2. OpenSSL 1.0.1g is NOT vulnerable
  3. OpenSSL 1.0.0 branch is NOT vulnerable
  4. OpenSSL 0.9.8 branch is NOT vulnerable

Heartbleed on Solaris :

Actually all the oracle  solaris 10 operating systems are using the lower version( 0.9.7d, dated 17 March 2004) of openssl. We have installed 2014 OS cluster patch bundles on most of the solaris 10 systems and none of the system are upgraded to the newer version of openssl.So we no need to worry about this bug on solaris 10 servers.

Here is the command to check the openssl version.

# find / -name openssl
/usr/bin/openssl
# which openssl
/usr/bin/openssl
# /usr/bin/openssl version
OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576 CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333)
#

Even Solaris 11.1 is using Non- vulnerable version of openssl.

root@UA-SOL1~# /usr/bin/openssl version
OpenSSL 1.0.0k 5 Feb 2013
root@UA-SOL1~# uname -a
SunOS UA-SOL1 5.11 11.1 sun4v sparc sun4v
root@UA-SOL1~#

As per oracle support document, Solaris 11.2 has detected heartbleed bug. To fix the issue on solaris 11.2 , you need to oracle support.

HeartBleed Redhat Linux:

The first heartbleed affected version of  Redhat Linux is version 6.5 . Redat Linux 6.0 to redhat Linux 6.4 are unaffected.

As per redhat’s support documents , OpenSSL versions openssl-1.0.1e-15 through openssl-1.0.1e-16.[highlight]el6_5.4[/highlight] include a flawed libssl.so library vulnerable to the issue.Here is the redhat artcile for the same. 

Use the below method to find the version of openssl .

[root@UA-LIN ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@UA-LIN ~]# rpm -q openssl
openssl-1.0.1e-16.el6_5.4.x86_64

You can see the above version has the heartbleed bug since the openssl version is 1.0.1e and patch version is 5.4.

If you already registered the system with Redhat , you just update the openssl using yum to fix the issue.

# yum update openssl

If you want to download the fixed version of openssl, login to Redhat customer portal

1. Click this link and it will take to you the below page. Just enter the openssl  and search it .

Redhat Linux openssl search

2.You may get the list software that contains openssl. Just click on openssl and you will get below screen to download it .

openssl redhat linux -Fixed version

Download the rpm which ends with *_5.7.x86_64 for Redhat Linux 6.5 64 bit operating system.

3.Install the rpm using below command.

# yum update /var/tmp/openssl-1.0.1e-16.el6_5.7.x86_64.rpm

4.After the patching ,verify the new version using below command.

[root@UA-LIN ~]# rpm -q openssl
openssl-1.0.1e-16.el6_5.7.x86_64

Now we have uprooted the heartbleed.

You can easily identify using below commands that what are the applications are using openssl.

[root@UA-LIN ~]# grep libssl.so.1.0.1e /proc/*/maps | cut -d/ -f3 | sort -u | xargs -r -- ps uf
USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        1276  0.0  0.0  80288   808 ?        Ss   Mar11   0:01 /usr/libexec/postfix/master
uapostfix   1855  0.0  0.0  80532   604 ?        S    Mar11   0:00  \_ qmgr -l -t fifo -u
uapostfix   2952  0.0  0.0  80288  1752 ?        S    19:17   0:00  \_ pickup -l -t fifo -u
[root@UA-LIN ~]# lsof | awk 'NR==1 || $0~/libssl.so.1.0.1e/'
COMMAND     PID      USER   FD      TYPE             DEVICE    SIZE/OFF       NODE NAME
masterua     1276      root  DEL       REG              253,1                 266122 /usr/lib64/libssl.so.1.0.1e.#prelink#.lCBmW3
uaqmgr       1855   postfix  DEL       REG              253,1                 266121 /usr/lib64/libssl.so.1.0.1e.#prelink#.lCBmW3
uapickup     2952   postfix  mem       REG              253,1      666060     234516 /usr/lib64/libssl.so.1.0.1e
[root@UA-LIN ~]#

You need to restart the application that uses the openssl library . So better to halt the application before installing this patch.

Hope you article will help you to make your solaris and Linux environment  from Heartbleed bug free.

Share it ! Comment it !! Be Sociable !!!

Exit mobile version