Translate

Friday 2 May 2014

Heartbleed - Checking your OpenSSL version

The OpenSSL project describes HeartBleed as follows:

"“A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server,”

Unfortunately it is quite normal to have multiple versions of openSSL installed on your system, as well as multiple certificates and keys, therefore you may have to check in several places:

1. To check the version installed as a standard IBM LPP (Licenced program product):

# lslpp -l openssl.base
  Fileset                      Level  State      Description
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  openssl.base             1.0.1.500  COMMITTED  Open Secure Socket Layer

Path: /etc/objrepos
  openssl.base             1.0.1.500  COMMITTED  Open Secure Socket Layer
[root@p520-aix61:/opt/syslog-ng]
 
# /usr/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013


2. To check the version installed using an RPM:

# rpm -qi openssl
Name        : openssl                      Relocations: (not relocateable)
Version     : 1.0.1g                            Vendor: (none)
Release     : 1                             Build Date: Tue Apr  8 18:49:04 CEST 2014
Install date: Mon Apr 14 11:59:33 CEST 2014      Build Host: aix51.perzl.org
Group       : System Environment/Libraries   Source RPM: openssl-1.0.1g-1.src.rpm
Size        : 56530184                         License: OpenSSL License
URL         : http://www.openssl.org/
Summary     : Secure Sockets Layer and cryptography libraries and tools
Description :
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, fully featured, and Open Source toolkit implementing the
....
..


# /opt/freeware/bin/openssl version
OpenSSL 1.0.1g 7 Apr 2014



3. You should now use the find command to ensure that there are no manually installed versions.

4. Check which is your default version, ie the one that is called when you issue a call without specifying a pathname

# type openssl
openssl is /usr/bin/openssl

5. Finally visit IBM's security pages for the latest information:

http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq

In my example the LPP version 1.0.1.500 of OpenSSL is susceptible to heartbleed and should be replaced with version v1.0.1.502, The RPM version 1.0.1g is not affected. The updated install package can be obtained from:

https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=openssl&cp=UTF-8

Once the update has been installed you need to configure your system as per the instructions in the IBM security bulletin:

http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq?mode=18&ID=3494&myns=pwraix71&mync=E

Once you have completed the update you can use this site to test your system:
https://filippo.io/Heartbleed/


It is worth remembering that your data may already have been stolen and thus you still need to take action such as reseting all your web user accounts etc. and checking your system has not been compromised in other ways.

Posted by at

1 comment:

  1. Unknown14 November 2016 at 21:19

    Thanks for providing this informative information. it is very useful you may also refer- http://www.s4techno.com/blog/2016/07/11/to-get-set-acl-in-aix/

    ReplyDelete

Subscribe to: Post Comments (Atom)