OpenSSL vulnerability (CVE-2014-0224)

Comments, suggestions, compliments, etc
spinmaster
Posts: 10
Joined: 2014/11/19 19:30:22

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by spinmaster » 2014/11/19 23:47:46

httpd (Apache) was restarted before the scans.

As for the locate command, I am on a different machine not on the ACL so can't run the command, but i see libel.so.4 & libssl.so.6 in in /lib and /lib64 in the file system.


Much appreciate giving your attention to this!..

S.

spinmaster
Posts: 10
Joined: 2014/11/19 19:30:22

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by spinmaster » 2014/11/19 23:52:30

Also openssl helper service was restarted as well.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by TrevorH » 2014/11/20 10:05:44

We'd need the info about libssl from the machine itself. The idea is to find copies of openssl that have been installed outside the package management system and that might be being picked up in preference to the system supplied copy.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

spinmaster
Posts: 10
Joined: 2014/11/19 19:30:22

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by spinmaster » 2014/11/20 21:31:47

I see.

Below is the output from the command.
====================================
root@mail [~]# locate libssl.so
/lib/.libssl.so.0.9.8e.hmac
/lib/.libssl.so.6.hmac
/lib/libssl.so.0.9.8e
/lib/libssl.so.4
/lib/libssl.so.6
/lib64/.libssl.so.0.9.8e.hmac
/lib64/.libssl.so.6.hmac
/lib64/libssl.so.0.9.8e
/lib64/libssl.so.4
/lib64/libssl.so.6
/usr/lib/libssl.so
/usr/lib64/libssl.so

==================================
Does it look like something is in the way of the latest patch?

Thank you very much for your help.

S.

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by gerald_clark » 2014/11/20 21:47:21

libssl.so.4 is not a CentOS library.

spinmaster
Posts: 10
Joined: 2014/11/19 19:30:22

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by spinmaster » 2014/11/20 23:15:43

A more extensive search found one more file, not a directory.

/usr/lib64/libssl.so.1.0.0 463517 bytes

spinmaster
Posts: 10
Joined: 2014/11/19 19:30:22

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by spinmaster » 2014/11/20 23:17:03

gerald_clark wrote:libssl.so.4 is not a CentOS library.

Could it be the cause of the patch not sticking?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by TrevorH » 2014/11/20 23:22:46

You have at least two rogue copies of libssl.so installed there that should not be part of a CentOS 5 system. Neither /lib/libssl.so.4 nor /lib64/libssl.so.4 nor /usr/lib64/libssl.so.1.0.0 are CentOS supplied and all are possibly vulnerable. You should run rpm -qf /usr/lib64/libssl.so.1.0.0 (repeat for all 3 files) and see if they belong to a package and if they do, either seek newer copies of that package or remove it. If they're not owned by any package then I do not know how you go about testing but I would rename them all and see what breaks. What damage that breakage might cause is unknown but with a rename you can always put it back if necessary while you seek a better solution.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

spinmaster
Posts: 10
Joined: 2014/11/19 19:30:22

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by spinmaster » 2014/11/22 17:16:12

Thank you very much for the help. This is looking promising.

It appears httpd is using /usr/lib64/libssl.so.1.0.0, so it won't start without it.
I had to keep it in place for now.

If /usr/lib64/libssl.so.1.0.0 is indeed a wrong module, how do I update that to point to the latest patch?

Many many thanks!

S.

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by gerald_clark » 2014/11/22 17:32:20

The CentOS supplied httpd uses the CentOS supplied openssl.
Where did you get your httpd?
Are you running a control panel?

Post Reply