How to Update Plesk for the Heartbleed Bug
Today the “Heartbleed Bug” is taking the world by storm and in this quick guide we’ll show you how to update Plesk for the Heartbleed bug on your CentOS (or other linux variant) machine.
What is the Heartbleed Bug?
The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is open-source software that is widely used to encrypt web communications. SSL/TLS is what normally provides secure and private communication over the Internet via websites, email, IM, and VPNs. According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”
Heartbleed is being taken so seriously because OpenSSL is widely used.
For Red Hat variants including CentOS:
yum update OpenSSL
Follow all prompts
For non-nginx systems:
service httpd restart
For nginx systems:
service nginx restart
To protect the Plesk panel itself:
service sw-cp-server restart
If you have mail and/or database services active restart those as well as they also use the openssl architecture.
For an easier approach, restart the entire server.
Verify the version is now updated to 1.0.1e-16.el6_5.4.01 or 1.0.1e-16.el6_5.7 or 1.0.1g:
rpm -q openssl
Test to make sure you are patched here: http://filippo.io/Heartbleed/
Or here: https://www.ssllabs.com/ssltest/index.html
On all other debian variants use:
sudo apt-get update
sudo apt-get upgrade
Verify the version is now updated to 1.0.1e-16.el6_5.4.01 or 1.0.1e-16.el6_5.7 or 1.0.1g:
dpkg -l openssl
Once you’ve updated your machine please remember to re-issue all SSL certificates as they may have been compromised.
Please note: I’ve received a lot of mail about the versions that I’m stating are fixed. Many websites state that openssl versions 1.0.1 – 1.0.1f are affected and that you MUST update to version 1.0.1g. This is incorrect. Version 1.0.1e-16.el6_5.4.01 was an initial release by the CentOs team as a temporary fix. If you have version 1.0.1e-16.el6_5.4.01 you are patched however there is a non-temporary fix which is version 1.0.1e-16.el6_5.7. Follow the same procedure above to update to 1.0.1e-16.el6_5.7. Version 1.0.1e-16.el6_5.7 is the official CentOS release to thwart the “Heartbleed Bug”.
For more information on the “Hearbleed Bug” refer to these links:
• Finnish National Cyber Security Center: NCSC-FI is distributing advisories and updates to technical communities.
• Heartbleed.com: This contains FAQs with (mostly) simple answers.
• Amazon Web Services: The AWS status page has minimal information now, but more updates may come soon.
• CNET: ‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords
• Ars Technica: Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
From all of us at WireFlare we ask that you help others find the answers they are looking for. Please leave a comment or share this post!
About Todd
I'm the President of WireFlare. I have a passion for creativity, online business and internet security. I strive to create a community that empowers people to be themselves. I'm an adventurist, fun loving and caring. Find me hiking in places most people don't dare to go!