Control Web Panel
WebPanel => Updates => Topic started by: lvstrijland on August 31, 2016, 09:06:00 AM
-
Dear CWP Development Team,
I ran an test for all services and found that there is an dangerous version of openSSL active on the server.
mod_ssl (part of openSSL) runs on version 2.2.31 and this version is already hacked an vulnerable for exploits, which means, reversed shells for everyone!
mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_antiloris/0.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
Please update this service!
Kind regards,
Laurens van Strijland
-
Just to update - I have manually compiled and updated OpenSSL on a CentOS 6.8 - using the following steps (ofcourse you need root priviledges on the server) -
1. Download LTS version of OpenSSL:
# cd /usr/src
# wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
# tar -zxf openssl-1.0.2j.tar.gz
2. Manually compile & upgrade / install OpenSSL:
# cd openssl-1.0.2j
# ./config
# make
# make test
# make install
4. Copy OpenSSL files:
# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
5. Verify installed version of OpenSSL
# openssl version
-
Thanks for posting the steps. One question:
Even the compile and installation seems work, how come my server info still show 1.0.1e even after apache recompile? Anything I need to make Apache using the new 1.0.2j? Thanks!
Server type: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips
-
you need to remove the current installation and try to install with the steps above.
-
Just to update - I have manually compiled and updated OpenSSL on a CentOS 6.8 - using the following steps (ofcourse you need root priviledges on the server) -
1. Download LTS version of OpenSSL:
# cd /usr/src
# wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
# tar -zxf openssl-1.0.2j.tar.gz
2. Manually compile & upgrade / install OpenSSL:
# cd openssl-1.0.2j
# ./config
# make
# make test
# make install
4. Copy OpenSSL files:
# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
5. Verify installed version of OpenSSL
# openssl version
dont work for me...
-
I'm experiencing the same issue, I've installed the latest OpenSSL and he terminal is reporting the correct version:
# openssl version
OpenSSL 1.0.2k 26 Jan 2017
but Apache is reporting the old version:
Server:Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.1e-fips
is there a workaround for this?
-
CWP is running a customized version of apache/mod_ssl (cwp-httpd).
Checking that version we discover:
---------------------------------------
# strings /usr/local/apache/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 1.0.1e 11 Feb 2013
---------------------------------------
So, this update seems is a must update!
When we would have a updated version of CWP?
-
It doesn't seem to matter to anyone.