Follow

Intigua and the OpenSSL Heartbleed Bug

The Heartbleed bug (OpenSSL advisory) is a serious vulnerability in the OpenSSL cryptographic software library, announced on 7 April 2014. It allows access to up to 64kb of internal memory in affected servers, and this may disclose sensitive information including SSL private keys.

The bug was introduced in OpenSSL 1.0.1, and is resolved in version 1.0.1g and later releases. Anyone running NGINX or NGINX Plus with an affected OpenSSL implementation should upgrade their OpenSSL library immediately and verify that NGINX is using the updated version.

Intigua's standard installation calls for the use of NGINX as the front-end Web Server. Although the core Tomcat application is not vulnerable, this configuration does leverage the underlying OpenSSL libraries to provide SSL connectivity from the client to NGINX. Therefore, patching the OpenSSL on your Intigua server is necessary.

If you are running an affected version of libssl (or even if you are not) you should upgrade to the latest openssl build provided by your operating system vendor, and then restart the NGINX software so that it uses the updated library. Typically, this is done using YUM.

1. Login as root or a user with privilege to install software
2. > yum update openssl
3. > service nginx restart

Please note that some Linux operating systems vendors have released fixed packages that still bear the OpenSSL 1.0.1e name. Even though the OpenSSL project released 1.0.1g as their newest software, downstream Linux providers have in some cases elected to include just the fix for CVE-2014-0160 in their packages in order to provide a small update quickly.

Elements of this article are republished from the following procedure on the NGINX website.

http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/

Comments