A severe vulnerability has been found in the OpenSSL library, widely used in UNIX-based web servers to implement support for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) that underpins all encrypted web browsing. Every time you access a URL with the “https://” prefix, you are using SSL or TLS.
OpenSSL versions 1.0.1 (released December 2011) to 1.0.1f are affected, with the vulnerability fixed in 1.0.1g.
The vulnerability allows an attacker to read up to 64kB of memory contents on the server. This can potentially expose privileged information including secret keys that underpin the encryption. An attack is especially dangerous as it leaves no trace in system logs.
The vulnerability has been nicknamed “Heartbleed”, as the bug is present within the heartbeat functionality of OpenSSL. The following popular Linux/BSD distributions are known to be affected:
Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2
If you are running one of these or a derivative, update your OpenSSL immediately to OpenSSL 1.0.1g, which can easily be done using standard package management tools e.g. yum and apt-get. After that, restart your web server.
To check if your web site or web server has the Heartbleed bug, you can use this online Heartbleed test tool:
For more information:
- Slashdot: OpenSSL Bug Allows Attackers To Read Memory in 64k Chunks
- Wikipedia: OpenSSL Heartbleed Bug
- Techcrunch: Massive Security Bug in OpenSSL Could Affect a Huge Chunk of the Internet