Patched: OpenSSL Heartbleed Vulnerability CVE-2014-0160

heartbleedThis morning we deployed an update to the OpenSSL software packages on our shared and customer servers to address a critical vulnerability. The vulnerability, dubbed “heartbleed”, is the result of improper data validation (bounds check) within a “heartbeat” feature of the OpenSSL TLS implementation.

Because of this vulnerability, it is possible that a portion of active memory can be disclosed to connecting clients, which can leak sensitive information. Ultimately, this may lead to the disclosure of transaction or customer-identifiable information, which undermines the very purpose of SSL implementations for our customers and the Internet community at large.

Although we make every effort to schedule updates and maintenance, the critical nature of this vulnerability prompted immediate action. We’re working hard to protect our customers and want to thank you for your understanding.

What is the status of my SSL certificates?
Our position is that regenerating/reissuing SSL certificates is not explicitly required and doing so would be out of an abundance of caution. Although the heartbleed vulnerability had the very real possibility to disclose the server-side private key for an SSL certificate, the ability to capture an entire SSL private key required more than just a passing interest in a specific web site. An attacker would need to conduct a targeted effort to dump thousands of memory captures using the vulnerability and piece together an SSL private certificate, a non-trivial task.

Further, we have no indications at this time of any large scale attempts to compromise SSL private keys on our customer web sites, servers or network at large. We will continue to monitor our servers and networks with vigilance and if at any time we have indications that this position needs to change, we will update our customers accordingly.

If you have any questions or concerns regarding this or other issues, please get in touch and we’ll get back to you as soon as possible.

Vulnerability Scope:
For customers that are currently running cPanel/WHM, the OpenSSL update will apply within the next 24h through daily automatic updates. To verify that the update has applied or to proactively apply it, please find details below. It is important to note, that once the OpenSSL update has been applied, Apache and/or Nginx must be restarted to ensure that the vulnerability is properly closed.

Check the current OpenSSL Version:
# rpm -q openssl
openssl-1.0.1e-16.el6_5.7.x86_64

The patched version of OpenSSL for CentOS 6 is openssl-1.0.1e-16.el6_5.7.x86_64.
The version of OpenSSL provided in CentOS 5.10 (openssl-0.9.8e-27.el5_10.1) is NOT vulnerable.
The version of OpenSSL provided in CentOS 6.5 (openssl-1.0.1e-16.el6_5.4) WAS vulnerable.

If you find that you are running any version other than ‘openssl-0.9.8e-27.el5_10.1′ or ‘openssl-1.0.1e-16.el6_5.7.x86_64′ then you should immediately update the OpenSSL packages:
# yum update -y openssl
# /etc/init.d/httpd stop
# /etc/init.d/httpd start

Although we have made every effort to access and update customer systems, this may not always be possible in cases where customers may have restricted access to systems and/or are using operating systems other than RHEL/CentOS. As such, we encourage all Cloud VPS, Hybrid and Dedicated customers to verify that this vulnerability is patched with an updated OpenSSL package.

Additional update information:

Debian Wheezy, Jessie, Sid
https://www.debian.org/security/2014/dsa-2896
# apt-get upgrade openssl

Ubuntu 12.04, 12.10, 13.10
http://www.ubuntu.com/usn/usn-2165-1/
# apt-get upgrade openssl

RHEL/CentOS 6.5
https://rhn.redhat.com/errata/RHSA-2014-0376.html
http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
# yum update openssl

CentOS 5.10, OpenSSL 0.9.8 is NOT vulnerable

Vulnerability Details:
http://heartbleed.com/
https://www.openssl.org/news/secadv_20140407.txt
https://access.redhat.com/security/cve/CVE-2014-0160

Proof of Concept Test:
http://filippo.io/Heartbleed/

Leave a comment

PHP Updates: PHP 5.5.11 & 5.4.27

PHP

 

We are pleased to announce that we have completed an update of the PHP versions available on all shared and business cloud servers to PHP versions 5.5.11 and 5.4.27. These updates contain several bug fixes as well as a security update to address CVE-2013-7345, for more details please see the PHP.net change log notes for PHP 5.5.11 and 5.4.27.

The use of PHP 5.5 and 5.4 can be enabled on your account or on a per-directory basis through a simple .htaccess modification. This modification can be placed in an accounts public_html/.htaccess file to enable PHP 5.5 or 5.4 for the entire account or in the .htaccess file of a specific directory (e.g: public_html/wordpress/.htaccess) to enable under that directory tree only.

To enable PHP 5.5 or 5.4, you must add one of the following htaccess option:

 AddType application/x-httpd-php55 .php

Or

 AddType application/x-httpd-php54 .php

The binary path to the PHP 5.5 and 5.4 installations, should you require it for executable php scripts or cronjobs, is located at:

/usr/local/php55/bin/php

And

/usr/local/php54/bin/php

As with the existing PHP 5.3 setup, when you enable PHP 5.5 or 5.4, it will respect any custom php.ini settings you may have under your account. In addition, all standard PHP modules and extensions from the existing PHP 5.3 setup are default enabled in the PHP 5.5 and 5.4 setup to ensure the best compatibility possible.

As always, questions or comments, we can be reached 24/7 through any of our support channels, thank you.

 

Leave a comment

A Small Orange Community Newsletter April ’14

Welcome to the ASO Community Newsletter! 

Cloud VPS Sale!
Get 2x the RAM + Diskspace. Seriously.

money_back_guaranteeHappy April 1st.

Although we at ASO enjoy a good joke, we thought we’d spare you the April Fool’s frivolity this year, and cut straight to the savings. For a limited time, you can get 2x the RAM and diskspace on any Cloud VPS plan. No coupon needed!  Offer applies to new orders and upgrades only.

Click here to look at all our Cloud VPS plans.

Need Your Own Website? We Can Help.

295x193xDemoeShop.png.pagespeed.ic.oRcwIfIabTIf you’re in need of a website but don’t have the time, patience, or skills to get one up and running, we can get you sorted out in no time.

All you have to do is pay a flat-rate price for a site created by an expert, who can provide the specific features you need.

Click here to take a look at all our website builder plans. You can also purchase this service as an add-on during checkout with any Shared Hosting plan.


Broaden Your ASO & Hosting Knowledge

hiring-orangeMake your hosting experience a simpler one with the storehouse of helpful information in the ASO KnowledgeBase. Learn how to get started, manage billing issues,  troubleshoot common problems across our product line, and more!

Click here to take a look. 

Recommend ASO, Earn Commissions!

icon_planicon-dedicated
If you’re an ASO enthusiast, you should check out our Affiliate Program. Get some sweet commissions for recommending our services.

Sign up for free here, and start earning commissions today.

Thanks for reading. See you next month!

The ASO Team

 

Leave a comment

Behind the Scenes: ASO’s Dress for Success Policy

We frequently hear from customers and readers of our blog who are interested in learning more about how we function as a business. Your wishes are our commands (usually), so in that spirit, we thought we’d share a new policy we are rolling out at A Small Orange to reflect our continued commitment to our customers.

Here is the message we posted on our internal blog:

Dear employees,

As A Small Orange grows, we feel that it’s important to look and act the part of a larger company. Doing so creates synergy, which is always good to have.

Therefore, effective April 7, we are implementing a “Dress for Success” policy and requiring all employees to be wearing business formal attire while working. This includes our employees in both our Austin and Durham locations, as well as our employees who work from home.

What exactly is business formal? Please see the examples below:

[Confidential stuff about how ASO does business here. Come work for us and get the full details.]

As part of our ongoing initiative to manufacture employee happiness, we are incorporating the enforcement of this new policy into a new, very much mandatory, twice daily video chat/meeting each employee will have their supervisor/manager. We are calling these new meetings HOVERS, which stands for Helping Out Very Enthusiastically and Recalling Standards.

In addition to going over your metrics, kudos, and any other relevant updates, your supervisor will use your twice daily HOVERS to ensure that you are dressed appropriately for work. We think these HOVERS will promote additional synergies between you, your team, and the company.

Please remember that failure to dress appropriately after the effective date of our new “Dress for Success” policy will result in disciplinary action, up to, and including termination.

Since the leadership team aims to set a positive example, I will update this post later today with a few images of us reflecting the serious and professional nature of our work in the way we dress:

For more information on this change, please see our new “Dress for Success” policy.

We thank you for your compliance.

And here is the aforementioned Dress for Success policy:

A Small Orange expects employees (regardless of location or work from home status) to dress appropriately in business attire. Because our work environment is one in which professionalism is tantamount to success, we require everyone to Dress for Success.

Business attire for men includes suits, sports jackets and pants that are typical of business formal attire at work. Ties are mandatory. For women, business attire includes pant and skirt suits and sports jackets appropriate to a formal business attire environment.

Employees are expected to demonstrate good judgment and professional taste. Courtesy to co-workers and your professional image to customers (regardless of actual in person interaction) should be the factors that are used to assess that you are dressing in business attire that is appropriate.

The images featured below are great options for a formal business environment. Wearing clean and pressed attire is just as important in maintaining a business formal image. Also, it is important to keep in mind that maintaining a professional image in a formal business environment always includes dressing appropriately for the workplace – revealing too much is unacceptable, as modesty is key.

https://blog.asmallorange.com/wp-content/uploads/BFBusinessGroup.jpg

https://blog.asmallorange.com/wp-content/uploads/bfformalgroupattire.jpg

(Please note that positioning yourself with your co-workers in a “V” formation is not required by this policy.)

Your accessories, which range from your jewelry to your perfume to your notebook or briefcase, must also be fitting for a business formal environment and should be worn or carried in good taste. The images below give you a good idea of what a formal dress code looks like and can even offer inspiration for your own business formal attire.

As a reminder, your supervisor/manager will ensure you are dressed appropriately for work during your twice daily HOVERS. As a further reminder, attending your twice daily HOVERS are mandatory.

Remember, it is our goal to look and act the part of a public company in order to create synergy. Such synergistic actions inspire investor confidence and subsequently strong shareholder returns.

We thank you for your compliance.

Leave a comment

Why You Should Update WordPress

 WordPress update warning

I bet you’ve seen this warning at the top of your WordPress dashboard before. It’s easy to ignore, but there are several really important reasons NOT to ignore it. WordPress, just like any other software on your computer, needs to be updated regularly. Unlike most software and programs though, WordPress is open source. Many many people are working feverishly to improve and fix old problems with WordPress, which means that updated versions are released pretty frequently.

Updating WordPress is very important, and really only takes a couple of quick steps. Don’t ignore the update warnings! WordPress will typically release updates for these reasons:

  • To improve features. New features that are released often help make WordPress easier to use. If you wait to update two or three versions of WordPress at a time it could cause problems with your site.
  • Safety reasons. WordPress updates may contain new security features that help prevent hackers and other bad-doers from breaking into your website and inserting malicious code or malware. Not only can this kind of activity harm your site, but it can also cause your site to lose its position in search engine results.
  • Bug fixes. New updates can fix bugs that you’re experiencing in your site. If something isn’t working correctly, you may just need to update WordPress.

Plugin Updates are Important Too

Plugins update

Updating your plugins is just as imperative as updating WordPress… and you should update the plugins BEFORE you update WordPress to prevent your plugins from breaking. Plugins that are outdated are super vulnerable to security attacks. To update your plugins:

  1. Navigate to the Plugins panel and click Update Available
  2. Update your plugins in bulk or individually with the Update Now link underneath each plugin

Old Software is Extremely Vulnerable

When a new WordPress or plugin update is released it comes with a bug fix report. Hackers can find the weaknesses of old WordPress versions just by looking at these reports. They target outdated sites by viewing the page source for a particular website to see what version of WordPress they are running. The simplest way to avoid being targeted is to keep everything updated.

Images courtesy of http://www.mayecreate.com/2013/04/why-you-should-update-wordpress/

Leave a comment