2014-06-05 OpenSSL CCS Injection Vulnerability
A number of OpenSSL security vulnerabilities were announced on 2014-06-05 that affect most versions of OpenSSL currently in use. The most significant one was CVE-2014-0224, which allows an attacker to intercept communications between two vulnerable OpenSSL implementations (such as a browser and a web server). In most scenarios, this is not an issue since most consumer browsers do not use OpenSSL.
Having said that, this is an important security issue and we recommend that all Bitnami users upgrade their servers if their Bitnami application or server was released previous to 2014-06-05.
Secure your machine
Follow the steps below:
Patch the library located in the installdir directory, by downloading and installing an update for your platform.
For Ubuntu Linux 14.04 64-bit systems: http://downloads.bitnami.com/files/download/opensslfixer/bitnami-opensslfixer-1.0.1h-0-linux-x64-installer.run md5: 3eff424b75378f30ee527013791b63eb
For Ubuntu Linux 14.04 32-bit systems: http://downloads.bitnami.com/files/download/opensslfixer/bitnami-opensslfixer-1.0.1h-0-linux-installer.run md5: b3e35c406017bbe67d0cf065c689d017
For Mac OS X: http://downloads.bitnami.com/files/download/opensslfixer/bitnami-opensslfixer-1.0.1h-0-osx-x86_64-installer.dmg md5: bd28bfdb67c7a69d70644183841ceb92
Install the patch using the commands below:
$ chmod +x ./bitnami-opensslfixer-*-installer.run $ sudo ./bitnami-opensslfixer-*-installer.run
The patch will check if your installation is vulnerable and if so, update the library version to a safe one. At the end of the patching process, it will ask for permissions to restart your services (recommended) so the changes take effect. It will also save all the updated files in the installdir/opensslfix directory and the replaced files (in case they are needed to perform a rollback) in the installdir/opensslfix/backup/ directory.
Update the system OpenSSL library:
For Ubuntu and Debian systems:
$ sudo apt-get update $ sudo apt-get install -y openssl libssl1.0.0
For RedHat, CentOS and Fedora systems:
$ sudo yum -y update openssl
Check that the library was updated:
$ /usr/bin/openssl version -a OpenSSL 1.0.1 14 Mar 2012 built on: Mon Jun 2 19:37:18 UTC 2014
Restart any service using libssl. To find the list of those services, use the command below:
$ sudo lsof -n | grep ssl | grep DEL vsftpd 481 root DEL REG 202,1 393314 /lib/x86_64-linux-gnu/libssl.so.1.0.0 monit 1269 root DEL REG 202,1 393314 /lib/x86_64-linux-gnu/libssl.so.1.0.0
Then, restart the services. Using the example above, here are sample commands:
$ sudo /etc/init.d/monit restart $ sudo /etc/init.d/vsftpd restart