Information

The OpenSSL group issued a vulnerability alert on April 7, 2014. You can find more information about CVE-2014-0160 at the Open SSL website and at http://heartbleed.com/.

This vulnerability affects almost all services (especially Apache-based) in a system which depends on OpenSSL and those systems created using one of the following distributions:

  • Debian Wheezy (stable) (vulnerable OpenSSL 1.0.1e-2+deb7u4, fixed in OpenSSL 1.0.1e-2+deb7u5)

  • Ubuntu 12.04.4 LTS (vulnerable OpenSSL 1.0.1-4ubuntu5.11, fixed in OpenSSL 1.0.1-4ubuntu5.12)

    Your Debian/Ubuntu package version can be checked using this command:

    ~# dpkg -l openssl
  • RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.4, fixed in OpenSSL 1.0.1e-16.el6_5.7)
  • OpenSUSE 12.2 (vulnerable OpenSSL 1.0.1c, fixed in OpenSSL 1.0.1e-1.44.1)

  • OpenSUSE 13.1 (fixed in OpenSSL 1.0.1e-11.32.1)

    Your Redhat/CentOS and OpenSUSE package versions can be checked using this command:

    ~# rpm -q openssl

OpenSSL 0.97a and 0.98e (in RedHat/CentOS 5) are not vulnerable. According to RHSA-2014-0376, only RedHat 6.5 has a vulnerable version of OpenSSL.

  • On RedHat/CentOS/CloudLinux 5.x, Parallels Plesk is shipped with custom builds of Apache/SNI and Nginx compiled with updated OpenSSL libraries (0.98y). These are not vulnerable.

Debian Squeeze is not vulnerable, as stated in Debian Security Advisory DSA-2896.

Plesk does not support Ubuntu 13.10 and 12.10, which has an updated version of OpenSSL. Other supported Ubuntu releases are not vulnerable, as per Ubuntu Security Notice USN-2165-1.

Fixes for OpenSUSE are provided in OpenSUSE Security Announcement openSUSE-SU-2014:0492-1.

Resolution

Operating system vendors have issued fixes, which have been incorporated by all major distributions. You must install the OpenSSL update using your operating system update process.

As an example for CentOS 6, RHEL6 and CloudLinux 6, this can be done using the commands:

~# yum clean all; yum update

After the OpenSSL update is installed, we recommend rebooting your operating system.

If a reboot is undesirable for some reason, restart all the services that depend on OpenSSL:

  • Web server (Apache or NGINX)

  • Plesk psa service:

    ~# service psa restart

  • WPB sw-engine service:

    ~#/etc/init.d/sw-engine restart
  • Mail (IMAP/POP3/SMPT services like Qmail/CourierIMAP/Postfix/Sendmail)
  • Databases (MySQL/PostgreSQL)
  • Any other services which rely on SSL and authorization. If you are unsure whether a service depends on SSL, we recommend restarting it.

Password Changes

It is highly recommended that you change passwords for administrative staff after the update is finished.

SSL Certificate Revocations

We encourage all customers to revoke and reissue SSL certificates. The procedure for revocation and reinstallation of SSL certificates is out of the scope of this document.

Additional Checks

After updating, please check all public HTTPS endpoints of the server using the SSLLabs service: https://www.ssllabs.com/ssltest/

The output of the test should include a row similar to this: This server is not vulnerable to the Heartbleed attack. (Experimental)

See also

  • KB #121016 - summary article for all Parallels products

Internal content