OpenSSL HeartBleed Vulnerability for CentOS 6 users

  • April 9, 2014 by Tech #1

This vulnerability is considered critical, and you should be taking corrective action on your server by updating the "openssl" package. The CentOS announcement about the recent OpenSSL vulnerability with a link to the upstream RedHat announcement is available here: 

http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

The patched OpenSSL 1.0.1 RPM has already been published to the RHEL 6, CentOS 6, and CloudLinux 6 repositories, so the only steps that should be necessary to update these servers are to run "yum update" to install the updated version of OpenSSL and then either fully restart all SSL-enabled services, including sshd, or reboot the server. 

I recommend rebooting the server so that no services are missed, and it also gives you the opportunity to install an updated kernel if one is available.

The patched OpenSSL 1.0.1e RPM will have a change-log that indicates the CVE-2014-0160 vulnerability has been fixed, such as this example: 

# rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160

- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension


RHEL/CentOS/CloudLinux 5 servers which are using the OpenSSL 0.9.8 RPM included in the official OS repositories are not vulnerable since they are using an older version of OpenSSL that never contained this vulnerability.

Rightfully, with the daily update configured in your server, the patch has been installed.

If you have any questions, feel free to email support@bennykusman.com