This morning we deployed an update to the OpenSSL software packages on our shared and customer servers to address a critical vulnerability. The vulnerability, dubbed "heartbleed", is the result of improper data validation (bounds check) within a "heartbeat" feature of the OpenSSL TLS implementation. Because of this vulnerability, it is possible that a portion of active memory can be disclosed to connecting clients, which can leak sensitive information.
Ultimately, this may lead to the disclosure of transaction or customer-identifiable information, which undermines the very purpose of SSL implementations for our customers and the Internet community at large. Although we make every effort to schedule updates and maintenance, the critical nature of this vulnerability prompted immediate action. We’re working hard to protect our customers and want to thank you for your understanding.
What is the status of my SSL certificates?
Our position is that regenerating/reissuing SSL certificates is not explicitly required and doing so would be out of an abundance of caution. Although the heartbleed vulnerability had the very real possibility to disclose the server-side private key for an SSL certificate, the ability to capture an entire SSL private key required more than just a passing interest in a specific web site. An attacker would need to conduct a targeted effort to dump thousands of memory captures using the vulnerability and piece together an SSL private certificate, a non-trivial task. Further, we have no indications at this time of any large scale attempts to compromise SSL private keys on our customer web sites, servers or network at large. We will continue to monitor our servers and networks with vigilance and if at any time we have indications that this position needs to change, we will update our customers accordingly. If you have any questions or concerns regarding this or other issues, please get in touch and we’ll get back to you as soon as possible.
Vulnerability Scope: For customers that are currently running cPanel/WHM, the OpenSSL update will apply within the next 24h through daily automatic updates. To verify that the update has applied or to proactively apply it, please find details below. It is important to note, that once the OpenSSL update has been applied, Apache and/or Nginx must be restarted to ensure that the vulnerability is properly closed. Check the current OpenSSL Version: # rpm -q openssl openssl-1.0.1e-16.el6_5.7.x86_64 The patched version of OpenSSL for CentOS 6 is openssl-1.0.1e-16.el6_5.7.x86_64. The version of OpenSSL provided in CentOS 5.10 (openssl-0.9.8e-27.el5_10.1) is NOT vulnerable. The version of OpenSSL provided in CentOS 6.5 (openssl-1.0.1e-16.el6_5.4) WAS vulnerable. If you find that you are running any version other than 'openssl-0.9.8e-27.el5_10.1' or 'openssl-1.0.1e-16.el6_5.7.x86_64' then you should immediately update the OpenSSL packages: # yum update -y openssl # /etc/init.d/httpd stop # /etc/init.d/httpd start Although we have made every effort to access and update customer systems, this may not always be possible in cases where customers may have restricted access to systems and/or are using operating systems other than RHEL/CentOS. As such, we encourage all Cloud VPS, Hybrid and Dedicated customers to verify that this vulnerability is patched with an updated OpenSSL package.
Additional update information: Debian Wheezy, Jessie, Sid https://www.debian.org/security/2014/dsa-2896 # apt-get upgrade openssl Ubuntu 12.04, 12.10, 13.10 http://www.ubuntu.com/usn/usn-2165-1/ # apt-get upgrade openssl RHEL/CentOS 6.5 https://rhn.redhat.com/errata/RHSA-2014-0376.html http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html # yum update openssl CentOS 5.10, OpenSSL 0.9.8 is NOT vulnerable
Vulnerability Details: http://heartbleed.com/ https://www.openssl.org/news/secadv_20140407.txt https://access.redhat.com/security/cve/CVE-2014-0160
Proof of Concept Test: http://filippo.io/Heartbleed/