Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [heartbleed]

The Heartbleed bug is a vulnerability in OpenSSL's TLS implementation. The CVE ID for this issue is CVE-2014-0160

The Heartbleed vulnerability allows stealing the information which is protected by SSL/TLS encryption, as well as potential disclosure of private keys.

Any application using OpenSSL for its TLS implementation is potentially vulnerable, which means there is large variety of vulnerable applications such as Web browsers, Email clients and Instant Messaging softare.

See http://heartbleed.com or CVE-2014-0160 for more information.

63 questions
203
votes
9 answers

Heartbleed: What is it and what are options to mitigate it?

This is a Canonical Question about understanding and remediating the Heartbleed security issue. What exactly is CVE-2014-0160 AKA "Heartbleed"? What is the cause, what OSs and versions of OpenSSL are vulnerable, what are the symptoms, are there…
Jacob
  • 9,114
  • 4
  • 44
  • 56
88
votes
8 answers

Heartbleed: how to reliably and portably check the OpenSSL version?

I was looking at a reliable and portable way to check the OpenSSL version on GNU/Linux and other systems, so users can easily discover if they should upgrade their SSL because of the Heartbleed bug. I thought it would be easy, but I quickly ran into…
Martijn
  • 833
  • 1
  • 6
  • 10
65
votes
6 answers

Heartbleed: are services other than HTTPS affected?

The OpenSSL 'heartbleed' vulnerability (CVE-2014-0160) affects webservers serving HTTPS. Other services also use OpenSSL. Are these services also vulnerable to heartbleed-like data leakage? I'm thinking in particular of sshd secure SMTP, IMAP etc…
Flup
  • 7,688
  • 1
  • 31
  • 43
28
votes
8 answers

My server is still vulnerable to heartbleed even after I update OpenSSL

I have an Ubuntu 12.04 server. I have updated the OpenSSL package in order to fix the heartbleed vulnerability. But I am still vulnerable even, even though I have restarted the web server, and even the whole server. To check my vulnerability I…
user3301260
  • 383
  • 1
  • 3
  • 5
27
votes
4 answers

How do I check if my SSL certificates have been revoked

The recent discovery of the heartbleed vulnerability has prompted certificate authorities to re-issue certificates. I have two certificates that were generated before the heartbleed vulnerability was discovered. After the SSL issuer told me to…
sridhar pandurangiah
  • 743
  • 2
  • 11
  • 28
19
votes
1 answer

Does Heartbleed affect AWS Elastic Load Balancer?

The Heartbleed OpenSSL vulnerability (http://heartbleed.com/) affects OpenSSL 1.0.1 through 1.0.1f (inclusive) I use Amazon Elastic Load Balancer to terminate my SSL connections. Is ELB vulnerable?
secretmike
  • 323
  • 2
  • 8
11
votes
1 answer

Command line tool for fetching and analyzing SSL certificate

Following the heartbleed vulnerability in openSSL, all the SSH certificate on our servers were re-issued and re-installed. Since it is likely that we've missed something on a server (for example, restarting Apache), we are checking the servers…
Adam Matan
  • 12,504
  • 19
  • 54
  • 73
10
votes
1 answer

I am still running Ubuntu 13.04, how should I react to the Heartbleed Bug?

I know that 13.04 is affected (or at least my installation is) because of the OpenSSL version currently installed. However, after running sudo apt-get update sudo apt-get upgrade I checked my OpenSSL version and it was still an unpatched build. I…
dwlz
  • 891
  • 3
  • 10
  • 19
9
votes
2 answers

How to install a vulnerable version of OpenSSL on a Linux server?

I'd like to compile and install a Heartbleed-vulnerable OpenSSL version on a server I'm setting up for a team web security challenge (since these are not available for install from Ubuntu's repository for obvious reasons). I downloaded and compiled…
mittelmania
  • 209
  • 2
  • 10
9
votes
1 answer

How do we instruct our employees to protect themselves from Heartbleed?

Welcome to the world after heartbleed. We've patched our servers and are replacing our SSL certificates. But just because our servers are fixed, that doesn't mean that the rest of the internet is fixed. We have employees, and they use the…
Wayne Conrad
  • 635
  • 1
  • 7
  • 20
9
votes
4 answers

Do I Need to Replace Keys for OpenSSH in Response to Heartbleed?

I've already updated my servers with the patches. Do I need to regenerate any private keys with respect to OpenSSH? I know that I have to regenerate any SSL certificates. EDIT: I didn't word this accurately enough. I know the vulnerability is in…
Olly
  • 449
  • 1
  • 4
  • 11
8
votes
3 answers

Do I have to update my snakeoil certificate after updating openssl (heartbleed)?

I just updated my debian wheezy server to the newest version of the openssl package which has the heartbleed bug fixed. I do support SSL on my server, but only with a snakeoil certificate. I was just wondering if there is actually any security…
Preexo
  • 194
  • 7
6
votes
1 answer

Why do I get different openssl versions?

I'm trying to check if I running the latest OpenSSL version, my main concern is the heartbleed bug. I tried 2 commands: openssl version yum info openssl openssl version output OpenSSL 1.0.1e-fips 11 Feb 2013 yum info openssl output Installed…
CoCoMonk
  • 163
  • 1
  • 4
5
votes
2 answers

Upgrading SSL library does not fix heartbleed

I have just upgraded the openssl library on my Ubuntu 12.04 server to fix the heartbleed bug. Here's the output that I get for the "openssl version -a" command: OpenSSL 1.0.0g 18 Jan 2012 built on: Fri Apr 11 09:20:16 UTC 2014 platform:…
Kapil Kaushik
  • 153
  • 5
5
votes
4 answers

Is there a way, to manually check for openssl CVE-2014-0160 vulnerability?

Is there a way for one to check some of internal services against CVE - CVE-2014-0160 (preferably using openssl CLI)? I CANNOT test everything just by using: Test your server for Heartbleed (CVE-2014-0160).
alexus
  • 12,342
  • 27
  • 115
  • 173
1
2 3 4 5