So the Heartbeat vulnerability have hit the press.
It seems that the default Iworx configuration is vulnerable.
You can check your HTTPS sites running on Iworx servers here: http://possible.lv/tools/hb/
More info on the bug can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
I hope your well
Many thanks for bring this to attention, and I checked using some of our systems, which IW was at risk, but sites running on IW were not.
I updated OpenSSL a little while ago, but have just updated again and it shows not vunerable.
If any user has centos 6.5 64 bit as os, our systems updated fine, just ssh and run su yum update OpenSSL.
Once again thanks for your post
Should we be at all concerned that, after updating openssl, the version reported is the same as before?
We just made an alert on our support page about this (http://www.interworx.com/support/alerts/update-openssl-immediately/)
Basically, to check if you’re vulnerable, run:
rpm -q openssl
- If that reports version 1.0.1e and less than 1.0.1e-16.el6_18.104.22.168, then you are currently vulnerable to this problem and need to update immediately. (yum update openssl)
- If it reports 1.0.1e-16.el6_22.214.171.124.centos then you have the temporary version issued before Redhat issued their official fix.
- If you have 1.0.1e-16.el6_5.7 or higher then you have the official fixed version from CentOS.
Some further details:
After the update is applied, you’ll also need to restart any services that had SSL attached to them, which includes:
- Mail services (imap4-ssl, pop3-ssl, smtp, smpt2)
Following the update, you should also generate new self-signed certificates and apply them to all services, which you can do in NodeWorx >> Server >> SSL Certificates. If you purchased an SSL certificate from a Certificate Authority, contact them ASAP for a new key.
For Litespeed users:
If you use LSWS, you need to update your LSWS version (Litespeed released a patch for this this morning):
/usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.9
If anyone has any issues, they should report them on the LiteSpeed forum: http://www.litespeedtech.com/support/forum/threads/heads-up-serious-openssl-vulernability.8496/
I hope you don’t mind, and sorry I may have missed the reason for new SSL Certs to be regenerated, but I was wondering why new Certs are needed.
In our case we had already updated to version e, and using the test shown by Evanion, IW domain for login was shown as vunerable, but any sites with SSL on was not vunerable.
I hope you don’t mind
I’m sorry, please disregard my above post and apologies to causing confusion to anyone reading my post.
I will organise to generate new SSL Certs from our providers and notify our clients who have SSL.