OpenSSL - Heartbleed
Posted by Jithender Reddy on 20 April 2014 04:24 PM
Recently, the 'Heartbleed Bug' was uncovered in SSL enabled sites and has been termed as the biggest vulnerability in the history of internet, this is found especially in OPENSSL enabled sites. As long as the vulnerable version of OpenSSL is in use it can be abused.
What makes the Heartbleed Bug unique?
Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.
How can OpenSSL be fixed?
Even though the actual code fix may appear trivial, OpenSSL team is the expert in fixing it properly so fixed version 1.0.1g or newer should be used. If this is not possible software developers can recompile OpenSSL with the handshake removed from the code by compile time option -DOPENSSL_NO_HEARTBEATS.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
Please fire the command yum update openssl* for a full openSSL upgrade.
Read more »