The OpenSSL project describes HeartBleed as follows:
"“A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64kB of memory to a connected client or
server,”
Unfortunately it is quite normal to have multiple versions of openSSL installed on your system, as well as multiple certificates and keys, therefore you may have to check in several places:
1. To check the version installed as a standard IBM LPP (Licenced program product):
# lslpp -l openssl.base
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
openssl.base 1.0.1.500 COMMITTED Open Secure Socket Layer
Path: /etc/objrepos
openssl.base 1.0.1.500 COMMITTED Open Secure Socket Layer
[root@p520-aix61:/opt/syslog-ng]
# /usr/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013
2. To check the version installed using an RPM:
# rpm -qi openssl
Name : openssl Relocations: (not relocateable)
Version : 1.0.1g Vendor: (none)
Release : 1 Build Date: Tue Apr 8 18:49:04 CEST 2014
Install date: Mon Apr 14 11:59:33 CEST 2014 Build Host: aix51.perzl.org
Group : System Environment/Libraries Source RPM: openssl-1.0.1g-1.src.rpm
Size : 56530184 License: OpenSSL License
URL : http://www.openssl.org/
Summary : Secure Sockets Layer and cryptography libraries and tools
Description :
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, fully featured, and Open Source toolkit implementing the
....
..
# /opt/freeware/bin/openssl version
OpenSSL 1.0.1g 7 Apr 2014
3. You should now use the find command to ensure that there are no manually installed versions.
4. Check which is your default version, ie the one that is called when you issue a call without specifying a pathname
# type openssl
openssl is /usr/bin/openssl
5. Finally visit IBM's security pages for the latest information:
http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
In my example the LPP version 1.0.1.500 of OpenSSL is susceptible to heartbleed and should be replaced with version v1.0.1.502, The RPM version 1.0.1g is not affected. The updated install package can be obtained from:
https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=openssl&cp=UTF-8
Once the update has been installed you need to configure your system as per the instructions in the IBM security bulletin:
http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq?mode=18&ID=3494&myns=pwraix71&mync=E
Once you have completed the update you can use this site to test your system:
https://filippo.io/Heartbleed/
It is worth remembering that your data may already have been stolen and thus you still need to take action such as reseting all your web user accounts etc. and checking your system has not been compromised in other ways.
Thanks for providing this informative information. it is very useful you may also refer- http://www.s4techno.com/blog/2016/07/11/to-get-set-acl-in-aix/
ReplyDelete