Tuesday, April 8, 2014

How to Fix OpenSSL Heart Bleed Bug on Ubuntu

If you're looking for how to update your Amazon Elastic Load Balancer, click here instead.

The recently discovered "Heart Bleed" bug in OpenSSL is an extremely critical security issue. Fixing it is relatively simple now that Ubuntu has pushed out changes to their repositories containing a fixed version of OpenSSL.

The following steps need to be run on each server that you generated a certificate or private key on. If you are using one certificate on multiple servers, then the cert needs to be revoked and regenerated on one of them and then pushed to each of the other servers.

UPDATE: Thanks to anonymous commenter for pointing out that relying solely on the build information is not completely accurate. Versions earlier than 1.0.1 are not vulnerable (although you should upgrade now that a fix is live for the latest version).

First, to make sure you (for some reason) don't have the latest version, run the following commands:

openssl version -b

openssl version -a

The response will look like:

OpenSSL 1.0.1 14 Mar 2012

built on: Wed Jan  8 20:45:51 UTC 2014

If the date is not more recent than older than "Mon Apr  7 20:33:29 UTC 2014" and the version is 1.0.1, then you are vulnerable to the Heart Bleed bug.

UPDATE: Reworded the above to make it clearer that the vulnerable versions were built before April 7th.

UPDATE: As James points out in the comments, different versions may have been built at different times, thus you should rely only on the date, not the time. Anything before Apr 7 is considered vulnerable.

Next, update your repositories:

sudo apt-get update

Once this finishes, upgrade openssl:

sudo apt-get upgrade openssl

sudo apt-get install openssl libssl1.0.0

UPDATE: use the install command to upgrade only openssl and libssl rather than upgrading everything on the server.

Once the upgrade finishes, check the version again. It should now read "Apr 7" or later.

Now, you need to regenerate your certificate using a new private key. This process is the same as it as always been, but I am including the link here for posterity's sake:

(Use step 3 and replace the key and cert names with your existing ones to overwrite them).

Once finished, you need to restart your Apache server and any services using SSL.

Update: Now with video:

38 comments:

  1. Matt, per heartbleed.com, OpenSSL 0.9.8 branch is not vulnerable. So judging vulnerability by the date of the build isn't accurate.

    ReplyDelete
    Replies
    1. Thank you for pointing this out. I have updated the post accordingly - the main difference is to use "openssl version -a" and look at the version number.

      Delete
    2. Thanks Matt. I got the answer now . I just did this sudo apt-get install -y libssl1.0.0 openssl. It worked

      Delete
  2. i am not comuter savvy, i dont have ubuntu, so i am unsure if i need to do anything about this bug? i dont run any websites, i just use social media blogs. is there any thing i have to do?

    ReplyDelete
    Replies
    1. You shouldn't have to do anything. The services you use (Facebook, Twitter, etc.) are responsible for updating their sites (and have been all day).

      Delete
    2. well, Anonymous may wish to change his passwords once he's sure the services have updated their servers.

      Delete
  3. You should probably update the following statement:

    > If the date is not more recent than "Mon Apr 7 20:33:29 UTC 2014"

    since different builds of the fixed OpenSSL for different architectures were built at different times, some of them earlier than that, for example on my system it's "built on: Mon Apr 7 20:31:55 UTC 2014". I wasn't quite sure initially if that meant I was vulnerable or not, so you should probable update it to say anything built before April 7 is vulnerable.

    ReplyDelete
    Replies
    1. Thanks for pointing this out - I am updating it now.

      Delete
    2. Maybe "If the date is not more recent than" should be changed to "If the date is older than". To me it currently reads as the build Apr 7 is vulnerable. (although contradicted in the next paragraph).
      Thanks for this guide though!

      Delete
  4. I am also not computer savvy- please feel free to ignore or delete this: I note that the procedure also does not appear to work for Ubuntu 13.04. Perhaps the reason is that ver. 13.04 is no longer being updated and maintained by Canonical.

    ReplyDelete
    Replies
    1. I'd had the same problem and needed to patch some old 13.04 systems. Posted the builds we did here: http://invalidlogic.com/2014/04/10/openssl-heartbleed-patches-for-ubuntu-13-04/

      Delete
  5. The digitalocean link is broken

    ReplyDelete
  6. Hi Matthew,

    Here is how it should look to fix issue:

    sudo apt-get install openss llibssl1.0.0

    ReplyDelete
    Replies
    1. you mean?
      sudo apt-get install openssl llibssl1.0.0

      Delete
  7. A rather big extra note is that you need to restart at least openssl for the fix to take effect. Simply upgrading while openssl is running will not resolve the issue.

    ReplyDelete
  8. We have Outlook Web Access but do not use OpenSSL. However, one site that tested our site said bug is possible when linking against OpenSSL 1.0.1f or older. What do I need to do to patch this?

    ReplyDelete
  9. Followed these steps and rebooted. Didn't work.. still have build date of Jan 8 2014.

    ReplyDelete
    Replies
    1. Same problem here.

      What is the solution??

      Delete
    2. same problem how solve this

      Delete
  10. Oh, this is upgrading all packages on Ubuntu, not only openssl, if you do "apt-get upgrade" you get the same as "apt-get upgrade openssl"

    ReplyDelete
    Replies
    1. I see what you mean, I don't want to upgrade all packages (php, mysql, etc) to the latest versions, just openssl. How to do this?

      Delete
    2. This comment has been removed by the author.

      Delete
    3. "apt-get install openssl" should install the latest version.

      Delete
  11. It unfortunately updating whole server that can affect other behavior of the server. Please let me know if you find one solution, even I'm searching

    ReplyDelete
    Replies
    1. If you just do sudo apt-get install openssl libssl1.0.0 it will only update those packages.

      Delete
  12. Why does "opensll verison -a" still show the version 1.0.1 14 Mar 2012, while the -b shows updated date of April 7th?

    ReplyDelete
  13. They're right.. you need to update both the openssl and the libssl1.0.0 packages or else you're still affected.

    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. Now there are no leaks..! But why updating ssl certificates? Is it necessary or just being safer?

    ReplyDelete
    Replies
    1. because yor keys might have been stolen before updating the openssl stuff

      Delete
  16. After update i am getting
    built on: Wed Jan 8 20:51:55 UTC 2014
    only

    ReplyDelete
    Replies
    1. same for me - something to do with the repos maybe?

      Delete
    2. Same for me, I can't get it to update the build.

      Delete
    3. http://www.ubuntu.com/usn/usn-2165-1/

      Delete
  17. When I update my openSSL version on Ubuntu13.04 --- I can only download OpenSSL 1.0.1c 10 May 2012


    Tried changing my repos - no joy!

    ReplyDelete
  18. If you need to test this on your own server, you can download the code and run it yourself;

    http://www.podciborski.co.uk/unix/heart-bleed-exploit-example-code/

    ReplyDelete