nativeInstaller

2014-04 Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by SSL/TLS encryption.

OpenSSL versions from 1.0.1 through 1.0.1f (inclusive) are vulnerable and make it possible to steal information, including the encrypted content and the secret key used for the encryption. The attack is also undetectable.

If you are running any of the affected versions on an SSL-enabled website, meaning that you can access it using HTTPS instead of HTTP, patch the libraries in your system and replace the certificates and keys that may have been compromised. Please notice that remote access using SSH is NOT affected.

There are also two Bitnami applications that are affected by the Heartbleed bug on Windows: Trac and ReviewBoard.

Find more information about the issue.

Detect if your machine is vulnerable

  • If you are running a Web server with SSL enabled, test whether it is vulnerable using this website.

  • Alternatively, log into the server and check the OpenSSL version by executing the command below:

    $ openssl version -a
    

    On Windows, open a Windows Command Prompt and run the above command from the installdir\apache2\bin directory:

    $ cd installdir\apache2\bin
    $ openssl version -a
    OpenSSL 1.0.1e 11 Feb 2013
    

    If the version in the output is greater or equal to v1.0.1 and lower than or equal to v1.0.1f, you may be affected. An example of an affected version would be:

    $ openssl version -a
    OpenSSL 1.0.1 14 Mar 2012
    built on: Wed Jan  8 20:45:51 UTC 2014
    platform: debian-amd64
    

    An example of a secure version would be:

    $ openssl version -a
    OpenSSL 1.0.1g 7 Apr 2014
    built on: Tue Apr  8 09:07:07 CEST 2014
    platform: linux-x86_64
    

    In this example, the OpenSSL version is greater than v1.0.1f and so it may be considered secure. This is the output you will see if you use our patch installer to update your SSL version (described in the next section)

    Another detail to check is the “built on” date. Some Linux distributions have provided security patches that fix the vulnerability without upgrading OpenSSL. The “built on” date should be newer or equal to April 2014 to consider it secure. An example of a patched OpenSSL version would be:

    $ /usr/bin/openssl version -a
    OpenSSL 1.0.1 14 Mar 2012
    built on: Mon Apr  7 20:33:29 UTC 2014
    platform: debian-amd64
    

    In this example, the OpenSSL version is in the vulnerable range but it may be considered secure as it was patched in April 2014.

Secure your machine

Linux and Mac OS X

Follow the steps below:

The patch will check if your installation is vulnerable and if so, update the library version to a safe one. At the end of the patching process, it will ask for permissions to restart your services (recommended) so the changes take effect. It will also save all the updated files in the installdir/opensslfix directory and the replaced files (in case they are needed to perform a rollback) in the installdir/opensslfix/backup/ directory.

  • Update the system OpenSSL library:

    $ sudo apt-get update
    $ sudo apt-get install -y libssl1.0.0 openssl
    
  • Check that the library was updated:

    $ /usr/bin/openssl version -a
    OpenSSL 1.0.1 14 Mar 2012
    built on: Mon Apr  7 20:33:29 UTC 2014
    
  • Restart any service using libssl. To find the list of those services, use the command below:

    $ sudo lsof -n | grep ssl | grep DEL
    vsftpd     479   root  DEL  REG     202,1         394910 /lib/x86_64-linux-gnu/libssl.so.1.0.0
    monit     1254   root  DEL  REG     202,1         394910 /lib/x86_64-linux-gnu/libssl.so.1.0.0
    

    Then, restart the services. Using the example above, here are sample commands:

    $ sudo /etc/init.d/monit restart
    $ sudo /etc/init.d/vsftpd restart
    

Windows

  • Stop the Apache server.

  • Create a backup directory under the installdir\Apache2\bin directory.

  • Copy openssl.exe, libeay.dll and ssleay32.dll into the new backup directory.

  • Download and install an update for your platform.

  • Uncompress the zip file and copy the files openssl.exe, libeay32.dll and ssleay32.dll into the installdir\Apache2\bin directory.

  • Restart the Apache server.

    • Check that the library was updated:

      $ cd installdir\apache2\bin
      $ openssl.exe version -a
      OpenSSL 1.0.1g 7 Apr 2014
      
Troubleshooting

You may see the following message when running the openssl.exe command:

The Program can't start because MSVCR110.dll is missing from your computer. Try reinstalling the program to fix this problem.

To resolve this, download and install the C++ redistributable installer for Visual Studio 2012 from Microsoft. Install the 32-bit version by selecting the vcredist_x86.exe installer.

Next steps

After applying the patches above, double-check if your website is still vulnerable using this website.

The vulnerability allows an attacker to steal private keys, which would allow it to decrypt any information, as well as impersonating your server. It is advisable to revoke potentially-compromised keys and reissue and redistribute new ones. This is only necessary if you configured HTTPS using your own certificate. In this case, regenerate new certificates and configure them again in your server.

Please direct any questions you have about this issue on our community website.