OpenSSL CVE-2014-0160 Heartbleed bug and Red Hat Enterprise Linux
Environment
- Red Hat Enterprise Linux 7 not affected
- Red Hat Enterprise Linux 7 Release Candidate (RC) not affected
- Red Hat Enterprise Linux 7 Beta affected
- Red Hat Enterprise Linux 6 affected
- Red Hat Enterprise Linux 5 not affected
- Red Hat Enterprise Linux 4 not affected
- For other affected products, refer to https://access.redhat.com/site/announcements/781953
Issue
- Does CVE-2014-0160 affect Red Hat Enterprise Linux?
- Need fix for openssl heartbleed bug
- What versions of Red Hat Enterprise Linux are affected by openssl heartbleed vulnerability?
- Do we have a list of packages/services we ship with RHEL that need a restart after OpenSSL has been updated?
Resolution
Step 1: Determine if RHEL system is vulnerable to flaw described in CVE-2014-0160
-
Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 7 include OpenSSL version
openssl-1.0.1e-34.el7which includes a fix backported from openssl-1.0.1g
- Red Hat Enterprise Linux 7 include OpenSSL version
-
Red Hat Enterprise Linux 7 Release Candidate (RC)
- Red Hat Enterprise Linux 7 RC include OpenSSL version
openssl-1.0.1e-34.el7which includes a fix backported from openssl-1.0.1g
- Red Hat Enterprise Linux 7 RC include OpenSSL version
-
Red Hat Enterprise Linux 7 Beta
- OpenSSL versions
openssl-1.0.1e-33.el7and earlier include a flawedlibssl.solibrary vulnerable to the issue - To determine openssl version, use the command:
rpm -q openssl - Version
openssl-1.0.1e-34.el7included a fix backported from openssl-1.0.1g - See footnote for considerations specific to RHEL 7 Beta1
- OpenSSL versions
-
Red Hat Enterprise Linux 6
- OpenSSL versions
openssl-1.0.1e-15throughopenssl-1.0.1e-16.el6_5.4include a flawedlibssl.solibrary vulnerable to the issue - The first affected version shipped with RHEL 6.5 (RHEL 6.4 and older shipped with the unaffected openssl-1.0.0 series)
- Systems which report as RHEL 6.0 - 6.3 could still have been updated to a newer [vulnerable] openssl-1.0.1 series package
- To determine openssl version, use the command:
rpm -q openssl - Version
openssl-1.0.1e-16.el6_5.7included a fix backported from openssl-1.0.1g
- OpenSSL versions
-
Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 4
- Vulnerable OpenSSL 1.0.1 series versions never shipped in RHEL 5 or earlier
Optional Step 2: Look for and/or query processes which are using the vulnerable libssl library
-
Run either of the following commands as root to display running processes which are using libssl
-
lsof | awk 'NR==1 || $0~/libssl.so.1.0.1e/' -
grep libssl.so.1.0.1e /proc/*/maps | cut -d/ -f3 | sort -u | xargs -r -- ps uf
-
-
Use Red Hat's Heartbleed Detector tool to query public-facing servers (or the version for internal systems)
Step 3: Upgrade the openssl package
-
Red Hat Enterprise Linux 7 Beta
- Update to
openssl-1.0.1e-34.el7(which corrected the flaw) or later
- Update to
-
Red Hat Enterprise Linux 6
- Update to
openssl-1.0.1e-16.el6_5.7(which corrected the flaw, as described in RHSA-2014:0376) or later
- Update to
-
As always, registered systems with internet access (or any RHEL 7 Beta system, or systems connected to Satellites, etc) can be updated via yum, e.g.:
yum update openssl
-
Otherwise, use a connected system to download the package or download the package directly from the Customer Portal2
-
After that, transfer the package to the system in question and install it manually with yum, e.g.:
yum update <path-to-openssl*rpm>
-
-
Red Hat Enterprise Linux 6 KVM Guest Image
-
Systems built from the Red Hat Enterprise Linux 6 KVM Guest Image (rhel-guest-image) package can resolve this flaw by updating the openssl package, as noted above. An updated rhel-guest-image package is also available, which includes a version of openssl that is patched for this flaw. For more details, see RHBA-2014:0426.
Step 4: After updating openssl, restart all processes using the flawed libssl.so3
-
The safest and simplest course of action is to perform a full system reboot
-
Alternatively, use the commands from Optional Step 2 to determine which processes need to be restarted and then act accordingly
Optional Step 5: Take additional remediation steps as desired
-
Official statement from Red Hat Security Response Team:
Red Hat is not aware of any public exploit being used in the wild for this issue prior to the date of disclosure. However, a number of public exploits were published shortly after the issue was disclosed.4 These exploits could lead to the disclosure of information handled by applications using OpenSSL, including private keys, session tokens, and data submitted by users, which could include authentication credentials. It is recommended that you assess the risk this could pose to your systems, and perform additional remediation as you deem appropriate.
-
For more details on additional remediation steps, refer to: How to recover from the Heartbleed OpenSSL vulnerability
-
Red Hat does not support the use of beta software in production and, therefore, does not normally release errata for betas. Given the great interest in the RHEL 7 Beta and the severity of the Heartbleed issue, Red Hat has made an exception in order to facilitate customer testing -- an updated OpenSSL package for the RHEL 7 Beta was provided. Note however that due to the beta nature of this update, CVE-2014-0160 will not link to any RHEL 7 Beta errata page. ↩︎
-
Package downloads for RHEL 7 Beta are in a different place than normal supported downloads: Navigate to the RHEL 7 Public Beta Download Page and make an appropriate selection. Then click Packages tab, and enter "openssl" in the Filter search field; then select the "openssl" package to download it. ↩︎
-
The most common process which is affected is Apache's
httpdwhen being used in concert with mod_ssl. In contrast, OpenSSH'ssshdis not affected. (See Is OpenSSH affected by the OpenSSL Heartbleed bug?. ↩︎ -
Note that several security researchers have now demonstrated that it is possible to retrieve private keys from an nginx server vulnerable to his flaw. (Note that it has not yet been demonstrated that private keys can be retrieved from Apache httpd servers as shipped in RHEL). If you are using OpenSSL on a web server, for example using Apache httpd & mod_ssl, then remote attackers may have used this flaw to compromise session tokens and plaintext user credentials stored in memory. Tools allowing attackers to automatically harvest session tokens from servers vulnerable to this flaw are now publicly available. ↩︎
Root Cause
-
Official statement from Security Advisory RHSA-2014:0376:
An information disclosure flaw was found in the way OpenSSL handled TLS and
DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server
could send a specially crafted TLS or DTLS Heartbeat packet to disclose a
limited portion of memory per request from a connected client or server.
Note that the disclosed portions of memory could potentially include
sensitive information such as private keys. (CVE-2014-0160) -
For links to more detail, see the entry for CVE-2014-0160 in Red Hat's CVE Database
Diagnostic Steps
- See the commands and links to scanners above in the Resolution
- For prelink questions after updating openssl, please refer to:
After Heartbleed CVE-2014-0160 openssl upgrade,lsofoutput shows #prelink# libraries in use
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments