What is OpenSSL?
OpenSSL is cryptography software which is used on more than half of the servers connected to the Internet. It is software designed to keep IM, email, VPN and web traffic secure by using SSL (Secure Socket Layer) and TLS (Transport Security Layer methods to secure communication between the two end points.
What is the bug?
In short, the bug has existed for over 2 years and was just recently announced. The security flaw allows attackers to read the memory of the systems running the version of OpenSSL which is vulnerable (see below). While seeing how much memory a system has is not entirely bad, the attacker could also see temporarily stored information like usernames, passwords, keys, etc. The hard part is that the way the method of attack is carried out, there are often times no trace of entry via logs.
How do I know if I am vulnerable?
If you are running the following OpenSSL versions listed below:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
What Operating Systems are impacted?
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c)
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
How do I update?
- RHEL/CentOS servers:
- yum update
- yum upgrade
- Debian/Ubuntu Servers:
- apt-get update
- apt-get upgrade
If you need assistance, please feel free to reach out to us.