Announcement

Collapse
No announcement yet.

Critical: Heartbleed OpenSSL Vulnerability

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Critical: Heartbleed OpenSSL Vulnerability

    Hello everyone,

    As reported in mainstream media, in OpenSSL 1.0.1, there is a critical vulnerability with Heartbeat Extension packets which, for the past 2 years, has created a very serious security vulnerability that can be exploited and can cause sensitive information to be stolen. This vulnerability is referenced in CVE-2014-0160.

    We would like to reassure customers all cPanel shared hosting servers are safe from this vulnerability - our senior administrators had immediately taken action to patch all of our servers which were affected by the vulnerability. However, dedicated server and VPS customers must taken immediate action to update to OpenSSL 1.0.1g which resolves the vulnerability known as Heartbleed.

    Please note that:
    • OpenSSL 1.0.1 through to 1.0.1f (inclusive) IS vulnerable
    • OpenSSL 1.0.1g IS NOT vulnerable
    • OpenSSL 1.0.0 IS NOT vulnerable
    • OpenSSL 0.9.8 IS NOT vulnerable

    To check whether your server is vulnerable, on CentOS/Red Hat, run:

    rpm -qa openssl*
    or
    yum info openssl | egrep "Package|Version|Release"

    On Ubuntu Server:

    dpkg -l | grep openssl

    (On Ubuntu, ensure the version returned matches the ones here.)

    Alternatively, you can check online here: http://filippo.io/Heartbleed

    Customers that are unable to do this themselves or need our assistance are requested to submit a ticket as soon as possible so our technicians can apply the patch for you.

    In the interest of customer security, we would strongly advise customers to change their cPanel/WHM password and account password for the eUKhost billing area.

    If you have any questions or concerns regarding this notice, please submit a ticket. One of our senior technicians will be happy to help you.

    Kind regards,

    The eUKhost Team

  • #2
    Re: Critical: Heartbleed OpenSSL Vulnerability

    We have already patched all our Linux shared servers and also private servers as VPS, Semi-dedicated and dedicated servers for which the client has sent review requests.

    RedHat 6, CentOS 6, CloudLinux 6 and other third party distro providers have published patched versions of their OpenSSL 1.0.1 RPMs to their mirrors listing. To update any affected servers, run “yum update” to install the patched version of OpenSSL and restart all SSL-enabled services or reboot the system.

    If there is plain Linux server and custom openSSL version installed that includes said security vulnerability then it can patched with the following steps. You need to replace old openssl binary with the new install.

    cd /usr/local/src/
    wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
    tar -xvzf openssl-1.0.1g.tar.gz
    cd openssl-1.0.1g/
    # Note : You need to check existing installation and set prefix path accordingly.
    ./config --prefix=/opt/openssl shared
    make
    make test
    make install
    If you have any doubt or query while doing this then just contact us via live chat or open a support ticket with the server details.
    We will get this done for you.
    Regards,
    Kieran A.
    Cloud Administrator
    Skype :: Kieran.Alen | eUKhost

    Comment


    • #3
      Re: Critical: Heartbleed OpenSSL Vulnerability

      Following on from the Heartbleed and as a consequence of it, an interesting test of the general SSL capabilities has been eye-opening. A veritable can-of-worms was opened, when I ran further checks on my servers and it has taken days of research and trials to finally get a rating that I am pleased with (i.e. up there with the best).

      Looks like you guys have a little work ahead of you, though I'm pleased to see that 'billing' is looking 'pretty good':
      https://www.ssllabs.com/ssltest/anal...hideResults=on
      https://www.ssllabs.com/ssltest/anal...hideResults=on
      https://www.ssllabs.com/ssltest/anal...hideResults=on

      Just a sample of the ones of particular importance to me.

      EJ
      EUKHost unofficial Systems Monitor
      [P.S. Does this mean I get to wear my newly arrived Polo shirt?]
      sigpicManaged osCmax hosting
      (I'm not social )

      Comment


      • #4
        Re: Critical: Heartbleed OpenSSL Vulnerability

        Originally posted by ejsolutions View Post
        [P.S. Does this mean I get to wear my newly arrived Polo shirt?]
        Yes .

        Comment

        Working...
        X