Update for openSSL is important!

Dear CWP Development Team,

I ran an test for all services and found that there is an dangerous version of openSSL active on the server.
mod_ssl (part of openSSL) runs on version 2.2.31 and this version is already hacked an vulnerable for exploits, which means, reversed shells for everyone!

Code: [Select]

mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_antiloris/0.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
Please update this service!

Kind regards,
Laurens van Strijland

Just to update - I have manually compiled and updated OpenSSL on a CentOS 6.8 - using the following steps (ofcourse you need root priviledges on the server) -

1. Download LTS version of OpenSSL:

# cd /usr/src
# wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
# tar -zxf openssl-1.0.2j.tar.gz

2. Manually compile & upgrade / install OpenSSL:

# cd openssl-1.0.2j
# ./config
# make
# make test
# make install

4. Copy OpenSSL files:

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

5. Verify installed version of OpenSSL

# openssl version

Thanks for posting the steps.  One question:

Even the compile and installation seems work, how come my server info still show 1.0.1e even after apache recompile?  Anything I need to make Apache using the new 1.0.2j? Thanks!

Server type: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips

you need to remove the current installation and try to install with the steps above.

Just to update - I have manually compiled and updated OpenSSL on a CentOS 6.8 - using the following steps (ofcourse you need root priviledges on the server) -

1. Download LTS version of OpenSSL:

# cd /usr/src
# wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
# tar -zxf openssl-1.0.2j.tar.gz

2. Manually compile & upgrade / install OpenSSL:

# cd openssl-1.0.2j
# ./config
# make
# make test
# make install

4. Copy OpenSSL files:

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

5. Verify installed version of OpenSSL

# openssl version

dont work for me...

I'm experiencing the same issue, I've installed the latest OpenSSL and he terminal is reporting the correct version:

Code: [Select]

# openssl version
OpenSSL 1.0.2k  26 Jan 2017
but Apache is reporting the old version:

Code: [Select]

Server:Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.1e-fips
is there a workaround for this?

CWP is running a customized version of apache/mod_ssl (cwp-httpd).

Checking that version we discover:
---------------------------------------
# strings /usr/local/apache/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 1.0.1e 11 Feb 2013
---------------------------------------

So, this update seems is a must update!
When we would have a updated version of CWP?

It doesn't seem to matter to anyone.

It was really hard to update openssl on CWP. I am using cwp7 on almalinux 8.

I tried everything and followed many articles available on internet related to upgrade openssl on Linux, but nothing worked for me.

Finally, this article helped me to upgrade my open SSL. https://startechies.net/blog/how-to-install-openssl/

If you are running AlmaLinux 8, you should be at OpenSSL 1.1.1K

dnf --refresh update

should update it.

Apache must be recompiled against the updated openSSL version in order to update mod_ssl.