OpenSSL CVE-2014-0160 Heartbleed bug and Red Hat Storage (RHS)

Solution Verified - Updated -

Environment

Issue

  • Does CVE-2014-0160 affect Red Hat Storage?
  • Need fix for openssl heartbleed bug

Resolution

  • Red Hat is not aware of any public exploit being used in the wild for this issue prior to the date of disclosure. However, a number of public exploits were published shortly after the issue was disclosed. These exploits could lead to the disclosure of information handled by applications using OpenSSL, including private keys, session tokens, and data submitted by users, which could include authentication credentials. It is recommended that you assess the risk this could pose to your systems, and perform additional remediation as you deem appropriate. (For more details on additional remediation steps, refer to: How to recover from the Heartbleed OpenSSL vulnerability.)

  • All users are strongly advised to upgrade to openssl-1.0.1e-16.el6_5.7 (RHSA-2014:0377) or later, which corrects this issue

    • As always, registered Red Hat Storage systems with internet access (or systems connected to Satellites, etc) can be updated via yum

      yum update openssl

    • After successfully updating the openssl package, any resident processes (e.g., services) linked to OpenSSL library (httpd, sshd) must be restarted to close the vulnerability (alternative: reboot)

    • Reference the Red Hat Storage Installation Guide chapter on updating for additional general comments about updating RHS

    • Note that there is no current ISO method of deployment for this issue; the openssl package(s) must be updated
      If a system is in a disconnected environment, the package(s) can be copied to the system and installed manually

Root Cause

  • Official statement from Security Advisory RHSA-2014:0377:

    An information disclosure flaw was found in the way OpenSSL handled TLS and
    DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server
    could send a specially crafted TLS or DTLS Heartbeat packet to disclose a
    limited portion of memory per request from a connected client or server.
    Note that the disclosed portions of memory could potentially include
    sensitive information such as private keys. (CVE-2014-0160)

  • For any ongoing developments, monitor the entry for CVE-2014-0160 in Red Hat's CVE Database

Diagnostic Steps

  • Red Hat has provided a tool to help automatically check public sites vulnerability to this vulnerability. This tool is for informational purposes only, but can help you quickly check systems before and after applying the updated packages.

  • Affected systems are those running Red Hat Storage 2.1.2, but more specifically, a version of the openssl package from openssl-1.0.1e-15.el6 through openssl-1.0.1e-16.el6_5.4

  • To check the current openssl package version:

    # rpm -q openssl
openssl-1.0.1e-16.el6_5.4.x86_64

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments