2014-06-05 OpenSSL CCS Injection Vulnerability
A number of OpenSSL security vulnerabilities were announced on 2014-06-05 that affect most versions of OpenSSL currently in use. The most significant one was CVE-2014-0224, which allows an attacker to intercept communications between two vulnerable OpenSSL implementations (such as a browser and a web server). In most scenarios, this is not an issue since most consumer browsers do not use OpenSSL.
Having said that, this is an important security issue and we recommend that all Bitnami users upgrade their servers if their Bitnami application or server was released previous to 2014-06-05.
Secure your machine
Follow the steps below:
Patch the library located in the /opt/bitnami directory, by downloading and installing an update for your platform.
For Ubuntu Linux 14.04 64-bit systems:
$ wget http://downloads.bitnami.com/files/download/opensslfixer/bitnami-opensslfixer-1.0.1h-0-linux-x64-installer.run
For Ubuntu Linux 14.04 32-bit systems:
$ wget http://downloads.bitnami.com/files/download/opensslfixer/bitnami-opensslfixer-1.0.1h-0-linux-installer.run
Install the patch using the commands below:
$ chmod +x ./bitnami-opensslfixer-*-installer.run $ sudo ./bitnami-opensslfixer-*-installer.run
The patch will check if your installation is vulnerable and if so, update the library version to a safe one. At the end of the patching process, it will ask for permissions to restart your services (recommended) so the changes take effect. It will also save all the updated files in the /opt/bitnami/opensslfix directory and the replaced files (in case they are needed to perform a rollback) in the /opt/bitnami/opensslfix/backup/ directory.
Update the system OpenSSL library:
For Ubuntu and Debian systems:
$ sudo apt-get update $ sudo apt-get install -y openssl libssl1.0.0
For RedHat, CentOS and Fedora systems:
$ sudo yum -y update openssl
Check that the library was updated:
$ /usr/bin/openssl version -a OpenSSL 1.0.1 14 Mar 2012 built on: Mon Jun 2 19:37:18 UTC 2014
Restart any service using libssl. To find the list of those services, use the command below:
$ sudo lsof -n | grep ssl | grep DEL vsftpd 481 root DEL REG 202,1 393314 /lib/x86_64-linux-gnu/libssl.so.1.0.0 monit 1269 root DEL REG 202,1 393314 /lib/x86_64-linux-gnu/libssl.so.1.0.0
Then, restart the services. Using the example above, here are sample commands:
$ sudo /etc/init.d/monit restart $ sudo /etc/init.d/vsftpd restart