Control Web Panel

WebPanel => Updates => Topic started by: lvstrijland on August 31, 2016, 09:06:00 AM

Title: Update for openSSL is important!
Post by: lvstrijland on August 31, 2016, 09:06:00 AM

Dear CWP Development Team,

I ran an test for all services and found that there is an dangerous version of openSSL active on the server.
mod_ssl (part of openSSL) runs on version 2.2.31 and this version is already hacked an vulnerable for exploits, which means, reversed shells for everyone!

Code: [Select]

mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_antiloris/0.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
Please update this service!

Kind regards,
Laurens van Strijland

Title: Re: Update for openSSL is important!
Post by: intellitech on October 27, 2016, 07:42:05 PM

Just to update - I have manually compiled and updated OpenSSL on a CentOS 6.8 - using the following steps (ofcourse you need root priviledges on the server) -

1. Download LTS version of OpenSSL:

# cd /usr/src
# wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
# tar -zxf openssl-1.0.2j.tar.gz

2. Manually compile & upgrade / install OpenSSL:

# cd openssl-1.0.2j
# ./config
# make
# make test
# make install

4. Copy OpenSSL files:

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

5. Verify installed version of OpenSSL

# openssl version

Title: Re: Update for openSSL is important!
Post by: xjlin0 on November 25, 2016, 07:15:11 PM

Thanks for posting the steps.  One question:

Even the compile and installation seems work, how come my server info still show 1.0.1e even after apache recompile?  Anything I need to make Apache using the new 1.0.2j? Thanks!

Server type: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips

Title: Re: Update for openSSL is important!
Post by: Sandeep on November 26, 2016, 03:12:34 PM

you need to remove the current installation and try to install with the steps above.

Title: Re: Update for openSSL is important!
Post by: pcready.cl on December 12, 2016, 05:05:51 AM

Quote from: intellitech on October 27, 2016, 07:42:05 PM

Just to update - I have manually compiled and updated OpenSSL on a CentOS 6.8 - using the following steps (ofcourse you need root priviledges on the server) -

1. Download LTS version of OpenSSL:

# cd /usr/src
# wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
# tar -zxf openssl-1.0.2j.tar.gz

2. Manually compile & upgrade / install OpenSSL:

# cd openssl-1.0.2j
# ./config
# make
# make test
# make install

4. Copy OpenSSL files:

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

5. Verify installed version of OpenSSL

# openssl version

dont work for me...

Title: Re: Update for openSSL is important!
Post by: batgranny on April 05, 2017, 09:45:11 AM

I'm experiencing the same issue, I've installed the latest OpenSSL and he terminal is reporting the correct version:

Code: [Select]

# openssl version
OpenSSL 1.0.2k  26 Jan 2017
but Apache is reporting the old version:

Code: [Select]

Server:Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.1e-fips
is there a workaround for this?

Title: Re: Update for openSSL is important!
Post by: Netino on December 01, 2017, 01:57:02 AM

CWP is running a customized version of apache/mod_ssl (cwp-httpd).

Checking that version we discover:
---------------------------------------
# strings /usr/local/apache/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 1.0.1e 11 Feb 2013
---------------------------------------

So, this update seems is a must update!
When we would have a updated version of CWP?

Title: Re: Update for openSSL is important!
Post by: thefantas on July 31, 2018, 03:30:15 AM

It doesn't seem to matter to anyone.