If you’ve been following any of the security chatter on the Internet, you probably are aware that the Heartbleed bug in OpenSSL is a bad one. Unless you take steps on your server, an assailant can, without leaving any traces, compromise your entire SSL setup and possibly steal information from your users. Definitely a Bad Thing.
For Ubuntu servers, here’s one way to go about fixing it:
Verify you have a vulnerable version
You can use the command
sudo openssl version -a
to check your current OpenSSL version. This command will output something like this:
OpenSSL 1.0.1 14 Mar 2012 built on: Tue Jun 4 07:26:06 UTC 2013 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl"
Note the “built on” date. If this is earlier than April 7, 2014, you have a vulnerable version.
Install the latest security patches
One way to get all the latest security patches is to use the command:
sudo apt-get dist-upgrade
This will produce output something like this:
Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following NEW packages will be installed: liblcms2-2 linux-headers-3.2.0-60 linux-headers-3.2.0-60-virtual linux-image-3.2.0-60-virtual The following packages will be upgraded: accountsservice apt apt-transport-https apt-utils base-files bc bind9-host ca-certificates cloud-init cloud-utils curl dmsetup dnsutils file gir1.2-gudev-1.0 gnupg gpgv grub-common grub-legacy-ec2 grub-pc grub-pc-bin grub2-common icedtea-6-jre-cacao icedtea-6-jre-jamvm ifupdown initramfs-tools initramfs-tools-bin iproute landscape-client landscape-common libaccountsservice0 libapt-inst1.4 libapt-pkg4.12 libavahi-client3 libavahi-common-data libavahi-common3 libbind9-80 libcurl3 libcurl3-gnutls libdevmapper1.02.1 libdns81 libdrm-intel1 libdrm-nouveau1a libdrm-radeon1 libdrm2 libgnutls26 libgudev-1.0-0 libisc83 libisccc80 libisccfg82 libjpeg-turbo8 liblwres80 libmagic1 libmysqlclient18 libnspr4 libnss3 libnss3-1d libpython2.7 libssl1.0.0 libudev0 libxfont1 libyaml-0-2 linux-firmware linux-headers-virtual linux-image-virtual linux-libc-dev linux-virtual mysql-client-5.5 mysql-client-core-5.5 mysql-common openjdk-6-jre-headless openjdk-6-jre-lib openssh-client openssh-server openssl oracle-java7-installer oracle-java7-set-default perl perl-base perl-modules python-apt python-apt-common python-software-properties python2.7 python2.7-minimal rsyslog sudo tzdata tzdata-java udev update-manager-core xkb-data 92 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 138 MB of archives. After this operation, 81.2 MB of additional disk space will be used. Do you want to continue [Y/n]?
If you say “yes,” it will then download and update all the various items listed.
If you really wanted to just update OpenSSL, you could instead use
apt-get update apt-get install openssl libssl1.0.0
but it’s generally better (IMHO) to make sure you’re fully patched up.
Reboot
You need to reboot your server to make sure that everything that may be using OpenSSL has been restarted.
Verify
Repeat the
sudo openssl version -a
command to make sure that you now have a build that is on or after April 7, 2014.
This post was written by Kevin Hunter, and originally appeared on Silver Bay Tech’s blog.