OpenSSL is cryptographic software which provides SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption to secure communication over the internet e.g. web, email, VPN and IM
A bug has been discovered in certain versions which allow attackers to read the memory of the systems running affected versions. The security firm Codenomicon which discovered the bug stated this allows attackers to obtain sensitive information including keys, passwords, username and content which can be used to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
Customers who have their own Cloud VM, VPS, Dedicated or Co-located servers should update their servers to protect against this issue.
For Debian/Ubuntu servers:
apt-get update and apt-get upgrade
For RHEL/CentOS based servers:
yum update and yum upgrade
For customers upgrading from Centos 6.0 please be aware of:
https://help.blacknight.com/entries/22933593-Cloud-VM-CentOS-6-0-to-CentOS-6-2-yum-upgrade
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c)
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
What versions of the OpenSSL are affected?
Status of different versions:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable