Fix OpenSSL Vulnerabilities on CentOS, Debian, Ubuntu and RHEL! [1.0.1e-fips]

If you find your production machines using OpenSSL version 1.0.1, 1.0.0 and 0.9.8, then here’s a serious vulnerability reported on march 2015 – OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) and Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204).

Well, the above two were classified as severity high among the several vulnerabilities reported here. The list of affected OpenSSL versions are 1.0.1, 1.0.0 and 0.9.8. According to the reports from OpenSSL release team, the vulnerabilities are not serious as Heartbleed bug found during April 2014. But upgrading to the latest version will prevent Denial of Service attacks.

The identified vulnerabilities can be fixed by updating the OpenSSL version on your systems running CentOS, RHEL, Debian and Ubuntu.

upgrade openssl

Let’s see how to update OpenSSL,

Prerequisite : ROOT privileges

How to find the version of OpenSSL installed?

$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

(OR)

$ yum list installed openssl
openssl.x86_64                    1.0.1e-16.el6_5.4                     @updates

The ‘openssl version‘ command should work on Debian and Ubuntu as well. Alternatively, you can run the below command.

[debian/ubuntu ] $ sudo dpkg -l | egrep  '^ii.*openssl'

Fix/Patch OpenSSL by Upgrading to the Latest Version

$sudo yum update openssl

Example output:

Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.4 will be updated
--> Processing Dependency: openssl = 1.0.1e-16.el6_5.4 for package: openssl-devel-1.0.1e-16.el6_5.4.x86_64
---> Package openssl.x86_64 0:1.0.1e-30.el6.8 will be an update
--> Running transaction check
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.4 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-30.el6.8 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
 Package                                 Arch                             Version                                    Repository                         Size
=============================================================================================================================================================
Updating:
 openssl                                 x86_64                           1.0.1e-30.el6.8                            updates                           1.5 M
Updating for dependencies:
 openssl-devel                           x86_64                           1.0.1e-30.el6.8                            updates                           1.2 M

Transaction Summary
=============================================================================================================================================================
Upgrade       2 Package(s)

Total download size: 2.7 M
Downloading Packages:
(1/2): openssl-1.0.1e-30.el6.8.x86_64.rpm                                                                                             | 1.5 MB     00:08
(2/2): openssl-devel-1.0.1e-30.el6.8.x86_64.rpm                                                                                       | 1.2 MB     00:08
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                        156 kB/s | 2.7 MB     00:17
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : openssl-1.0.1e-30.el6.8.x86_64                                                                                                            1/4
  Updating   : openssl-devel-1.0.1e-30.el6.8.x86_64                                                                                                      2/4
  Cleanup    : openssl-devel-1.0.1e-16.el6_5.4.x86_64                                                                                                    3/4
  Cleanup    : openssl-1.0.1e-16.el6_5.4.x86_64                                                                                                          4/4
  Verifying  : openssl-1.0.1e-30.el6.8.x86_64                                                                                                            1/4
  Verifying  : openssl-devel-1.0.1e-30.el6.8.x86_64                                                                                                      2/4
  Verifying  : openssl-1.0.1e-16.el6_5.4.x86_64                                                                                                          3/4
  Verifying  : openssl-devel-1.0.1e-16.el6_5.4.x86_64                                                                                                    4/4
Updated:
  openssl.x86_64 0:1.0.1e-30.el6.8
Dependency Updated:
  openssl-devel.x86_64 0:1.0.1e-30.el6.8
Complete!

On Debian and Ubuntu machines:

[debian/ubuntu ] $ apt-get update
[debian/ubuntu ] $ apt-get upgrade

Well, you had updated the OpenSSL. Now, you may restart your server or restart the services that uses OpenSSL.

How to find which services are using OpenSSL?

The below  command will list the services that are currently running and using OpenSSL library.

$lsof | grep libssl | awk '{print $1}' | sort | uniq
data-down
httpd
master
mysqld
php
pickup
postmaste

Restart all services and that’s it, you have patched up the vulnerabilities in OpenSSL version 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

Note: Even if I don’t update this post in future, you should ensure that your system is always update to date with the latest patches.

Also read : List of Useful OpenSSL commands

Updated on September 3, 2017

Was this article helpful?

Related Articles

Leave a Comment