Difference between revisions of "Vuln web cve-2014-0160"
(Created page with "= Heartbleed OpenSSL vulnerability = This vulnerability means that your system is running a vulnerable version of openssl that is vulnerable to the Heartbleed Vulnerability....") |
m (→Next Steps) |
||
Line 4: | Line 4: | ||
= Next Steps = | = Next Steps = | ||
+ | |||
+ | Step 1) Patch OpenSSL | ||
To fix this vulnerability you need to upgrade openssl to a version that is not vulnerable to this hole. The follow list provides links to specific vendors websites with instructions to fix this vulnerability. | To fix this vulnerability you need to upgrade openssl to a version that is not vulnerable to this hole. The follow list provides links to specific vendors websites with instructions to fix this vulnerability. | ||
Line 21: | Line 23: | ||
Parallels Virtualization products: http://kb.parallels.com/en/120989 | Parallels Virtualization products: http://kb.parallels.com/en/120989 | ||
− | + | Step 2) Optional: Add defense in depth to TLS to help mitigate potential future vulnerabilities | |
+ | It is also recommended that you implement Perfect Forward Secrecy on your server to mitigate possible future vulnerabilities in the TLS protocol. Please see the [[PFS]] article for recommendations. | ||
= Outside references = | = Outside references = |
Revision as of 12:28, 11 April 2014
Heartbleed OpenSSL vulnerability
This vulnerability means that your system is running a vulnerable version of openssl that is vulnerable to the Heartbleed Vulnerability. This vulnerability makes it possible for an attacker to steal information from memory on your server, remotely, including passwords, sensitive information and private SSL keys. This is a very serious vulnerability and means that TLS and SSL based connections on your system can be compromised by an attacker exposing any information being sent over these connections.
Next Steps
Step 1) Patch OpenSSL
To fix this vulnerability you need to upgrade openssl to a version that is not vulnerable to this hole. The follow list provides links to specific vendors websites with instructions to fix this vulnerability.
Redhat: https://access.redhat.com/security/cve/CVE-2014-0160
Centos: See the Redhat information above. Centos is a derivative of RHEL.
Cpanel: https://cpanel.net/heartbleed-vulnerability-information/
Parallels Automation: http://kb.parallels.com/en/120984
Parallels Business Automation Standard: http://kb.parallels.com/en/120986
Parallels Plesk Panel: http://kb.parallels.com/en/120990
Parallels Virtualization products: http://kb.parallels.com/en/120989
Step 2) Optional: Add defense in depth to TLS to help mitigate potential future vulnerabilities
It is also recommended that you implement Perfect Forward Secrecy on your server to mitigate possible future vulnerabilities in the TLS protocol. Please see the PFS article for recommendations.
Outside references
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
https://isc.sans.edu/forums/diary/Heartbleed+vendor+notifications/17929