If you’ve been following any of the security chatter on the Internet, you probably are aware that the Heartbleed bug in OpenSSL is a bad one. Unless you take steps on your server, an assailant can, without leaving any traces, compromise your entire SSL setup and possibly steal information from your users. Definitely a Bad Thing.

For Ubuntu servers, here’s one way to go about fixing it:

Verify you have a vulnerable version

You can use the command

sudo openssl version -a

to check your current OpenSSL version. This command will output something like this:

OpenSSL 1.0.1 14 Mar 2012
built on: Tue Jun  4 07:26:06 UTC 2013
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

Note the “built on” date. If this is earlier than April 7, 2014, you have a vulnerable version.

Install the latest security patches

One way to get all the latest security patches is to use the command:

sudo apt-get dist-upgrade

This will produce output something like this:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  liblcms2-2 linux-headers-3.2.0-60 linux-headers-3.2.0-60-virtual
  linux-image-3.2.0-60-virtual
The following packages will be upgraded:
  accountsservice apt apt-transport-https apt-utils base-files bc bind9-host
  ca-certificates cloud-init cloud-utils curl dmsetup dnsutils file
  gir1.2-gudev-1.0 gnupg gpgv grub-common grub-legacy-ec2 grub-pc grub-pc-bin
  grub2-common icedtea-6-jre-cacao icedtea-6-jre-jamvm ifupdown
  initramfs-tools initramfs-tools-bin iproute landscape-client
  landscape-common libaccountsservice0 libapt-inst1.4 libapt-pkg4.12
  libavahi-client3 libavahi-common-data libavahi-common3 libbind9-80 libcurl3
  libcurl3-gnutls libdevmapper1.02.1 libdns81 libdrm-intel1 libdrm-nouveau1a
  libdrm-radeon1 libdrm2 libgnutls26 libgudev-1.0-0 libisc83 libisccc80
  libisccfg82 libjpeg-turbo8 liblwres80 libmagic1 libmysqlclient18 libnspr4
  libnss3 libnss3-1d libpython2.7 libssl1.0.0 libudev0 libxfont1 libyaml-0-2
  linux-firmware linux-headers-virtual linux-image-virtual linux-libc-dev
  linux-virtual mysql-client-5.5 mysql-client-core-5.5 mysql-common
  openjdk-6-jre-headless openjdk-6-jre-lib openssh-client openssh-server
  openssl oracle-java7-installer oracle-java7-set-default perl perl-base
  perl-modules python-apt python-apt-common python-software-properties
  python2.7 python2.7-minimal rsyslog sudo tzdata tzdata-java udev
  update-manager-core xkb-data
92 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 138 MB of archives.
After this operation, 81.2 MB of additional disk space will be used.
Do you want to continue [Y/n]? 

If you say “yes,” it will then download and update all the various items listed.

If you really wanted to just update OpenSSL, you could instead use

apt-get update
apt-get install openssl libssl1.0.0

but it’s generally better (IMHO) to make sure you’re fully patched up.

Reboot

You need to reboot your server to make sure that everything that may be using OpenSSL has been restarted.

Verify

Repeat the

sudo openssl version -a

command to make sure that you now have a build that is on or after April 7, 2014.

 

This post was written by Kevin Hunter, and originally appeared on Silver Bay Tech’s blog.