Heartbeat vulnerability

Evanion · April 8, 2014, 2:09am

Hello
So the Heartbeat vulnerability have hit the press.
It seems that the default Iworx configuration is vulnerable.
You can check your HTTPS sites running on Iworx servers here: http://possible.lv/tools/hb/
More info on the bug can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

d2d4j · April 8, 2014, 4:22am

Hi Evanion

I hope your well

Many thanks for bring this to attention, and I checked using some of our systems, which IW was at risk, but sites running on IW were not.

I updated OpenSSL a little while ago, but have just updated again and it shows not vunerable.

If any user has centos 6.5 64 bit as os, our systems updated fine, just ssh and run su yum update OpenSSL.

Once again thanks for your post

Many thanks

John

lkarpiuk · April 8, 2014, 5:53am

Should we be at all concerned that, after updating openssl, the version reported is the same as before?

IWorx-Brett · April 8, 2014, 7:40am

We just made an alert on our support page about this (http://www.interworx.com/support/alerts/update-openssl-immediately/)

Basically, to check if you’re vulnerable, run:

rpm -q openssl

If that reports version 1.0.1e and less than 1.0.1e-16.el6_5.4.0.1, then you are currently vulnerable to this problem and need to update immediately. (yum update openssl)
If it reports 1.0.1e-16.el6_5.4.0.1.centos then you have the temporary version issued before Redhat issued their official fix.
If you have 1.0.1e-16.el6_5.7 or higher then you have the official fixed version from CentOS.

IWorx-Brett · April 8, 2014, 8:16am

Some further details:

After the update is applied, you’ll also need to restart any services that had SSL attached to them, which includes:

Apache
InterWorx
Mail services (imap4-ssl, pop3-ssl, smtp, smpt2)

Following the update, you should also generate new self-signed certificates and apply them to all services, which you can do in NodeWorx >> Server >> SSL Certificates. If you purchased an SSL certificate from a Certificate Authority, contact them ASAP for a new key.

IWorx-Brett · April 8, 2014, 9:08am

For Litespeed users:

If you use LSWS, you need to update your LSWS version (Litespeed released a patch for this this morning):

/usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.9

If anyone has any issues, they should report them on the LiteSpeed forum: http://www.litespeedtech.com/support/forum/threads/heads-up-serious-openssl-vulernability.8496/

d2d4j · April 8, 2014, 9:14am

Hi Brett

I hope you don’t mind, and sorry I may have missed the reason for new SSL Certs to be regenerated, but I was wondering why new Certs are needed.

In our case we had already updated to version e, and using the test shown by Evanion, IW domain for login was shown as vunerable, but any sites with SSL on was not vunerable.

I hope you don’t mind

Many thanks

John

d2d4j · April 8, 2014, 9:30am

Hi Brett

I’m sorry, please disregard my above post and apologies to causing confusion to anyone reading my post.

I will organise to generate new SSL Certs from our providers and notify our clients who have SSL.

Many thanks

John