vmware

2014-06-05 OpenSSL CCS Injection Vulnerability

A number of OpenSSL security vulnerabilities were announced on 2014-06-05 that affect most versions of OpenSSL currently in use. The most significant one was CVE-2014-0224, which allows an attacker to intercept communications between two vulnerable OpenSSL implementations (such as a browser and a web server). In most scenarios, this is not an issue since most consumer browsers do not use OpenSSL.

Having said that, this is an important security issue and we recommend that all Bitnami users upgrade their servers if their Bitnami application or server was released previous to 2014-06-05.

Secure your machine

Follow the steps below:

  • Patch the library located in the /opt/bitnami directory, by downloading and installing an update for your platform.

    • For Ubuntu Linux 14.04 64-bit systems:

      $ wget http://downloads.bitnami.com/files/download/opensslfixer/bitnami-opensslfixer-1.0.1h-0-linux-x64-installer.run
      
    • For Ubuntu Linux 14.04 32-bit systems:

      $ wget http://downloads.bitnami.com/files/download/opensslfixer/bitnami-opensslfixer-1.0.1h-0-linux-installer.run
      
  • Install the patch using the commands below:

    $ chmod +x ./bitnami-opensslfixer-*-installer.run
    $ sudo ./bitnami-opensslfixer-*-installer.run
    

    The patch will check if your installation is vulnerable and if so, update the library version to a safe one. At the end of the patching process, it will ask for permissions to restart your services (recommended) so the changes take effect. It will also save all the updated files in the /opt/bitnami/opensslfix directory and the replaced files (in case they are needed to perform a rollback) in the /opt/bitnami/opensslfix/backup/ directory.

    • Update the system OpenSSL library:

      • For Ubuntu and Debian systems:

        $ sudo apt-get update $ sudo apt-get install -y openssl libssl1.0.0

      • For RedHat, CentOS and Fedora systems:

        $ sudo yum -y update openssl

    • Check that the library was updated:

      $ /usr/bin/openssl version -a
      OpenSSL 1.0.1 14 Mar 2012
      built on: Mon Jun  2 19:37:18 UTC 2014
      
    • Restart any service using libssl. To find the list of those services, use the command below:

      $ sudo lsof -n | grep ssl | grep DEL
      vsftpd     481       root  DEL       REG              202,1              393314 /lib/x86_64-linux-gnu/libssl.so.1.0.0
      monit     1269       root  DEL       REG              202,1              393314 /lib/x86_64-linux-gnu/libssl.so.1.0.0
      

      Then, restart the services. Using the example above, here are sample commands:

      $ sudo /etc/init.d/monit restart
      $ sudo /etc/init.d/vsftpd restart