Darren Mothersele

Software Developer

Warning: You are viewing old, legacy content. Kept for posterity. Information is out of date. Code samples probably don't work. My opinions have probably changed. Browse at your own risk.

Heartbleed

Apr 8, 2014

devops

A serious bug in OpenSSL was disclosed last night. I just happened to check Hacker News late last night, about 2 hours after it had been posted.

Luckily, by this time Ubuntu had released updated packages for OpenSSL, and as most of the servers under my control are running Ubuntu Server, I could easily patch them to remove the vulnerability. The fix for RedHad seemed to take a little bit longer to arrive, but it’s here now.

Patching the vulnerability is just the first step, there’s a lot more work to do to recover from this bug…

###Check OpenSSL version

You need to be running OpenSSL 1.0.1g

openssl version

Just running this command doesn’t report back full version information. If you check this post you will find further information on what to look for.

If you are on Ubuntu 12.04 the package you are looking for is this one:

openssl 1.0.1-4ubuntu5.12

###Further recovery…

But, patching OpenSSL is only a small part of the fix for this bug. The consequences of this are much deeper.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

This essentially means that encryption keys, user credentials, and any content handled by the servers could have been exposed. So the following steps are required (see this post):

###Leaves no trace…

It’s also worth noting that exploiting the vulnerability leaves no trace, so there is no way to know if your system, encryption keys, passwords or content has been compromised.

It’s worth doing a general password reset anyway.

Final note, it’s worth pointing out that this doesn’t affect OpenSSH, just OpenSSL, as OpenSSH doesn’t include the broken TLS implementation.