OpenSSL Heartbleed Vulnerability


Staff member
What is it?
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

How is it stopped?
As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released, CentOS has backported it, and we've deployed the update to all customers and restarted commonly used services which rely on OpenSSL.

What versions of the OpenSSL are affected?
Status of different versions:

  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable
  • OpenSSL 1.0.1e-16.el6_5.7 in CentOS has the fix backported into it. This is the release that will be applicable to our customers.
Customers running CentOS 5.x (OpenSSL 0.9.8 branch) are not, and never were vulnerable. There's nothing for you to worry about at all.

Can I (or support) detect if someone has exploited this against me?
Exploitation of this bug leaves no traces of anything abnormal happening to the logs, so no.

What do I need to do?
You do not need to worry about applying any updates. We've deployed updated OpenSSL libraries to all of our systems as well as restarted common services which would have been running using the old binary such as Apache. If you want to be 100% certain that no running processes are using the old binary, we recommend restarting your server which can be done via VZ Power Panel for VPSs and SSH/WHM for dedicated servers. We can restart your server for you of course if you open a support ticket and request it.

The exploit could allow a malicious user to obtain information from a 64k block of memory which could potentially contain anything from keys, passwords, usernames, and other information.

There have been no known cases yet of someone having been exploited using this, so we're leaving it up to users on whether or not to change all passwords, regenerate SSLs, change SSH keys, etc.

Having said that, a few things that could be affected are, but not limited to:

  • SSH keys
  • Website passwords
  • Email passwords
  • WHM keys
  • SSL certificates