How to Update Plesk for the Heartbleed Bug

label_outlinechat_bubble_outline Comment

Today the “Heartbleed Bug” is taking the world by storm and in this quick guide we’ll show you how to update Plesk for the Heartbleed bug on your CentOS (or other linux variant) machine.

What is the Heartbleed Bug?

The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is open-source software that is widely used to encrypt web communications. SSL/TLS is what normally provides secure and private communication over the Internet via websites, email, IM, and VPNs. According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”

Heartbleed is being taken so seriously because OpenSSL is widely used.

For Red Hat variants including CentOS:

yum update OpenSSL

Follow all prompts

For non-nginx systems:

service httpd restart

For nginx systems:

service nginx restart

To protect the Plesk panel itself:

service sw-cp-server restart

If you have mail and/or database services active restart those as well as they also use the openssl architecture.

For an easier approach, restart the entire server.

Verify the version is now updated to 1.0.1e-16.el6_5.4.01 or 1.0.1e-16.el6_5.7 or 1.0.1g:

rpm -q openssl

Test to make sure you are patched here: http://filippo.io/Heartbleed/
Or here: https://www.ssllabs.com/ssltest/index.html

On all other debian variants use:

sudo apt-get update
sudo apt-get upgrade

Verify the version is now updated to 1.0.1e-16.el6_5.4.01 or 1.0.1e-16.el6_5.7 or 1.0.1g:

dpkg -l openssl


Once you’ve updated your machine please remember to re-issue all SSL certificates as they may have been compromised.

Please note: I’ve received a lot of mail about the versions that I’m stating are fixed. Many websites state that openssl versions 1.0.1 – 1.0.1f are affected and that you MUST update to version 1.0.1g. This is incorrect. Version 1.0.1e-16.el6_5.4.01 was an initial release by the CentOs team as a temporary fix. If you have version 1.0.1e-16.el6_5.4.01 you are patched however there is a non-temporary fix which is version 1.0.1e-16.el6_5.7. Follow the same procedure above to update to 1.0.1e-16.el6_5.7. Version 1.0.1e-16.el6_5.7 is the official CentOS release to thwart the “Heartbleed Bug”.

For more information on the “Hearbleed Bug” refer to these links:
Finnish National Cyber Security Center: NCSC-FI is distributing advisories and updates to technical communities.
Heartbleed.com: This contains FAQs with (mostly) simple answers.
Amazon Web Services: The AWS status page has minimal information now, but more updates may come soon.
CNET: ‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords
Ars Technica: Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping

From all of us at WireFlare we ask that you help others find the answers they are looking for. Please leave a comment or share this post!

About

Blog Bio Picture For Todd

I'm the President of WireFlare. I have a passion for creativity, online business and internet security. I strive to create a community that empowers people to be themselves. I'm an adventurist, fun loving and caring. Find me hiking in places most people don't dare to go!

Get a free consultation today!