Author Topic: Update for openSSL is important!  (Read 15877 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Update for openSSL is important!
« on: August 31, 2016, 09:06:00 AM »
Dear CWP Development Team,

I ran an test for all services and found that there is an dangerous version of openSSL active on the server.
mod_ssl (part of openSSL) runs on version 2.2.31 and this version is already hacked an vulnerable for exploits, which means, reversed shells for everyone!

Code: [Select]
mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_antiloris/0.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
Please update this service!

Kind regards,
Laurens van Strijland


Offline
*
Re: Update for openSSL is important!
« Reply #1 on: October 27, 2016, 07:42:05 PM »
Just to update - I have manually compiled and updated OpenSSL on a CentOS 6.8 - using the following steps (ofcourse you need root priviledges on the server) -

1. Download LTS version of OpenSSL:

# cd /usr/src
# wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
# tar -zxf openssl-1.0.2j.tar.gz

2. Manually compile & upgrade / install OpenSSL:

# cd openssl-1.0.2j
# ./config
# make
# make test
# make install

4. Copy OpenSSL files:

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

5. Verify installed version of OpenSSL

# openssl version
« Last Edit: October 27, 2016, 07:58:17 PM by intellitech »

Offline
*
Re: Update for openSSL is important!
« Reply #2 on: November 25, 2016, 07:15:11 PM »
Thanks for posting the steps.  One question:

Even the compile and installation seems work, how come my server info still show 1.0.1e even after apache recompile?  Anything I need to make Apache using the new 1.0.2j? Thanks!

Server type: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips

Offline
*****
Re: Update for openSSL is important!
« Reply #3 on: November 26, 2016, 03:12:34 PM »
you need to remove the current installation and try to install with the steps above.

Offline
*
Re: Update for openSSL is important!
« Reply #4 on: December 12, 2016, 05:05:51 AM »
Just to update - I have manually compiled and updated OpenSSL on a CentOS 6.8 - using the following steps (ofcourse you need root priviledges on the server) -

1. Download LTS version of OpenSSL:

# cd /usr/src
# wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
# tar -zxf openssl-1.0.2j.tar.gz

2. Manually compile & upgrade / install OpenSSL:

# cd openssl-1.0.2j
# ./config
# make
# make test
# make install

4. Copy OpenSSL files:

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

5. Verify installed version of OpenSSL

# openssl version

dont work for me...

Offline
*
Re: Update for openSSL is important!
« Reply #5 on: April 05, 2017, 09:45:11 AM »
I'm experiencing the same issue, I've installed the latest OpenSSL and he terminal is reporting the correct version:

Code: [Select]
# openssl version
OpenSSL 1.0.2k  26 Jan 2017

but Apache is reporting the old version:

Code: [Select]
Server:Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.1e-fips
is there a workaround for this?

Offline
***
Re: Update for openSSL is important!
« Reply #6 on: December 01, 2017, 01:57:02 AM »
CWP is running a customized version of apache/mod_ssl (cwp-httpd).

Checking that version we discover:
---------------------------------------
# strings /usr/local/apache/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 1.0.1e 11 Feb 2013
---------------------------------------

So, this update seems is a must update!
When we would have a updated version of CWP?

Offline
*
Re: Update for openSSL is important!
« Reply #7 on: July 31, 2018, 03:30:15 AM »
It doesn't seem to matter to anyone.