check your servers for the heartbleed bug in openssl - SSL was broken.

263 views
Skip to first unread message

Bruce Kirkpatrick

unread,
Apr 8, 2014, 4:54:12 PM4/8/14
to ra...@googlegroups.com
Just wanted to share that there is a serious problem with openssl that allows public users to get past SSL security.  This affected most recent Linux OS distributions.
http://heartbleed.com/

It lets people steal your private keys and do other bad things.  Pretty serious problem.

Not too hard to fix.  I had to upgrade ours, and restart the services to fix the vulnerability.  It doesn't auto-fix when you update openssl only, the nginx/apache restart was required on both ubuntu and centos for me.   Nginx also required libssl to be upgraded for me, not just openssl.

You can check for server vulnerability more quickly here:

I'm on ubuntu 13.04 still, so I had to manually upgrade to saucy packages to fix it since it's no longer supported.

It's all over the tech news right now:

hope this helps!

rushglen

unread,
Apr 8, 2014, 10:12:02 PM4/8/14
to ra...@googlegroups.com
phew! all ok, thanks.

melinite

unread,
Apr 8, 2014, 10:45:59 PM4/8/14
to ra...@googlegroups.com
according to heartbleed.com affected OS and unaffected OS. Basically if you are using openssl v1+ then you need to rekey, reissue, recompile, update, patch, and pray.

Affected.

  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

  • Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
  • SUSE Linux Enterprise Server
  • FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

melinite

unread,
Apr 8, 2014, 10:47:25 PM4/8/14
to ra...@googlegroups.com
Also please use these more thorough tool than the one mentioned by Bruce.


Keep that ssl checker bookmarked, it is very useful and they are up to date to most CVE and 0day exploits when they occur. The tool bruce mentioned was a simple hack.

Rani

unread,
Apr 9, 2014, 5:22:45 AM4/9/14
to ra...@googlegroups.com
Thanks Bruce for info.

I would also like to share another ssl checker tool from Qualys which i have been using for a while:

https://www.ssllabs.com/ssltest/index.html

Igal @ getRailo.org

unread,
Apr 9, 2014, 1:28:53 PM4/9/14
to ra...@googlegroups.com
FYI:  on Windows \ nginx an update of nginx to version 1.5.13 seems to resolve the issue.
--
Did you find this reply useful? Help the Railo community and add it to the Railo Server wiki at https://github.com/getrailo/railo/wiki
---
You received this message because you are subscribed to the Google Groups "Railo" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/railo/d7dbfaf2-ea71-46c3-b21e-189ecdbbd06b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
Igal Sapir
Railo Core Developer
http://getRailo.org/

Brad Wood

unread,
Apr 10, 2014, 6:39:20 PM4/10/14
to ra...@googlegroups.com
I've seen a lot of information relating to *hosts* which are serving SSL content, but from what I've read today clients (such as CURL) can also be vulnerable.


Does CFHTTP use openSSL and could our CFML code which connects to a remote HTTPS endpoint be insecure?

Thanks!

~Brad

Sean Daniels

unread,
Apr 11, 2014, 10:40:42 AM4/11/14
to ra...@googlegroups.com
This is a really excellent question and I would love to get a response from the Railo team as well.

I’m pretty sure Railo uses the Apache commons library httpclient for cfhttp. Google-fu is not producing any useful results about whether or not org.apache.commons.httpclient.HttpClient itself is vulnerable.

I’ll keep looking.

- Sean

Sean Daniels

unread,
Apr 11, 2014, 10:48:37 AM4/11/14
to ra...@googlegroups.com
I used the tester application at https://reverseheartbleed.com and got an OK result from my Railo 4.2 server calling their test URL via cfhttp.

A good sign, though hardly as definitive as I’d like.

On April 10, 2014 at 6:39:22 PM, Brad Wood (br...@bradwood.com) wrote:

Bruce Kirkpatrick

unread,
Apr 11, 2014, 10:52:10 AM4/11/14
to ra...@googlegroups.com
Cool.  I think the httpclient is built on top of Oracle java ssl code, which shares nothing in common with openssl.  Source: http://hc.apache.org/httpclient-3.x/sslguide.html

Bruce Kirkpatrick

unread,
Apr 18, 2014, 10:47:31 AM4/18/14
to ra...@googlegroups.com
I just noticed Railo blog has a related link about their heartbleed bug Railo analysis.


On Tuesday, April 8, 2014 4:54:12 PM UTC-4, Bruce Kirkpatrick wrote:
Reply all
Reply to author
Forward
0 new messages