When we talk about OpenSSL, we are talking about the security on the Internet, on especially user authentication but recently on 7th of April, the security flaw found and it’s serious!
So what to do?
Check Your Server
Check it if your server could be in this danger.
I found an online tool that hopes that it will help: http://possible.lv/tools/hb/
Here is my test on one server, I have found:
[..] ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check. <b>Actively checking if CVE-2014-0160 works:</b> Your server appears to be patched against this bug.
Secure It
According to the patch info of the OpenSSL (CVE-2014-0160), we need to:
- Use OpenSSL version 1.0.1g
- Or recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS
- And OpenSSL version 1.0.2 will be fixed in 1.0.2-beta2
Patch Info
OpenSSL Security Advisory [07 Apr 2014] ======================================== TLS heartbeat read overrun (CVE-2014-0160) ========================================== A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.[Ref]
References
- Heartbleed Bug & All its news reference
- Test Tool: http://possible.lv/tools/hb/