DevOps Army

Understand, Learn and Implement.. LINUX / UNIX DEVOPS CONTAINERS OPENSHIFT KUBERNETES DEVOPS TOOLS VIRTUALIZATION STORAGE BACKUP SCRIPTS MONITORING MIDDLEWARE

Sunday, August 24, 2014

Red Hat Openssl Heart bleed bug patch update

4:03 AM Posted by vinod No comments
Most of the system administrators and developers are re-directed to fix the openssl’s most threatening bug which is named as heart bleed.Heartbeat actually keep the session alive for a bit ,so that communication will not be broken.Where as in typical SSL, connection will be terminated immediately if the connection is inactive for a bit. Recently security team has discovered the issue with heartbeat extension. Using heartbeat protocol ,attackers can read the  memory contents with the chunk of 64K  . This information can be decry pt and they can read in text format. Assume if the server is using for credit card transactions and attackers can easily pull out all the details that they want by pulling number of 64k memory chunks.
Openssl 1.0.1 through 1.0.1f are vulnerable .For More info check this Heartbleed

 The first heart bleed affected version of  Redhat Linux is version 6.5 . Redat Linux 6.0 to redhat Linux 6.4 are unaffected.

 As per redhat’s support documents , OpenSSL versions openssl-1.0.1e-15 through openssl-1.0.1e-16.el6_5.4 include a flawed libssl.so library vulnerable to the issue
(Here is the RedHat article regarding this - Click me)

 Use the below method to find the version of openssl .
[root@vinodhkumar~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@vinodhkumar~]# rpm -q openssl
openssl-1.0.1e-16.el6_5.4.x86_64
You can see the above version has the heart bleed bug since the openssl version is 1.0.1e and patch version is 5.4.
If you want to download the fixed version of openssl, login to Redhat customer portal
Login to the Red Hat Portal with the account and download the required openssl for the fix.
You may get the list software that contains openssl. Just click on openssl and you will get below screen to download it .
Download the rpm which ends with *_5.7.x86_64 for Redhat Linux 6.5 64 bit operating system.
3.Install the rpm using below command.
# yum update /var/tmp/openssl-1.0.1e-16.el6_5.7.x86_64.rpm


or


#rpm -Uvh openssl-1.0.1e-16.el6_5.7.x86_64.rpm


4.After the patching ,verify the new version using below command.


[root@vinodhkumar ~]# rpm -q openssl
openssl-1.0.1e-16.el6_5.7.x86_64



Now we have uprooted the heartbleed.



You can easily identify using below commands that what are the applications are using openssl.


[root@vinodhkumar ~]# grep libssl.so.1.0.1e /proc/*/maps | cut -d/ -f3 | sort -u | xargs -r -- ps uf
USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        1276  0.0  0.0  80288   808 ?        Ss   Mar11   0:01 /usr/libexec/postfix/master
uapostfix   1855  0.0  0.0  80532   604 ?        S    Mar11   0:00  \_ qmgr -l -t fifo -u
uapostfix   2952  0.0  0.0  80288  1752 ?        S    19:17   0:00  \_ pickup -l -t fifo -u


[root@vinodhkumar ~]# lsof | awk 'NR==1 || $0~/libssl.so.1.0.1e/'
COMMAND     PID      USER   FD      TYPE             DEVICE    SIZE/OFF       NODE NAME
masterua     1276      root  DEL       REG              253,1                 266122 /usr/lib64/libssl.so.1.0.1e.#prelink#.lCBmW3
uaqmgr       1855   postfix  DEL       REG              253,1                 266121 /usr/lib64/libssl.so.1.0.1e.#prelink#.lCBmW3
uapickup     2952   postfix  mem       REG              253,1      666060     234516 /usr/lib64/libssl.so.1.0.1e
[root@vinodhkumar ~]#



You need to restart the application that uses the openssl library . So better to halt the application before installing this patch.



Hope you article will help you to make your Linux environment  from Heart bleed bug free.

0 comments:

Post a Comment