Description
Summary of Article
This article is to address the new vulnerability that has been found on openssl 1.0.1 - 1.0.1f (inclusive)
Common Vulnerabilities and Exposure bug: CVE-2014-0160
Please click on the link for further details: http://heartbleed.com/
How to check if you're vulnerable:
SSH into Each Accelops Super or Workers and Collectors for each version that you have that is different:
Run the following commands:
- rpm -qa | grep openssl
- openssl
- You will be inside the openssl console
- version
Example output:
[root@super ~]# rpm -qa | grep openssl
openssl-0.9.8e-26.el5_9.1
openssl-0.9.8e-26.el5_9.1
[root@super ~]# openssl
OpenSSL> version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Please compare that to the following information below (Extracted from HeartBleed.com)
What versions of the OpenSSL are affected?
Status of different versions:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Basically what the above means:
If you are on openSSL v0.9.8 (all revisions within this branch) or openSSL v1.0.0 (all revisions within this branch) or openSSL v1.0.1g (all revision on THIS and AFTER) then you are NOT vulnerable to this bug.
If you are on openSSL versions 1.0.1 -> 1.0.1f (inclusive) then you ARE vulnerable.
Currently 3.7.x customers will most likely be utilizing 0.9.8fips and will not be affected.
It will be a good idea to double check if there was any modifications or customizations done to your AO environment.
