Friday, April 11, 2014

Apache HTTP Server and CVE-2014-0160, the so called Heartbleed Bug


SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1 through 1.0.1f are vulnerable to CVE-2014-0160, the so called Heartbleed Bug. (OpenSSL versions smaller than 1.0.1, such as 0.9.8 and 1.0.0, are safe.)

No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server configuration change besides disabling SSL/TLS completely can resolve this. (SSLv2 and SSLv3 are not vulnerable to CVE-2014-0160, but limiting the configuration to one or both of those protocols is not recommended because of other security concerns.) Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required.

In some cases OpenSSL may be statically linked with mod_ssl. httpd and mod_ssl must be rebuilt with the updated OpenSSL when OpenSSL is statically linked with mod_ssl. Note: The build of mod_spdy may rebuild mod_ssl in this manner.

If you build OpenSSL yourself, refer to the OpenSSL project for further information, including the advisory at http://www.openssl.org/news/secadv_20140407.txt.

Checking for mod_ssl statically linked with OpenSSL

Linux

$ nm /path/to/httpd/modules/mod_ssl.so | grep X509_STORE_CTX_free
                 U X509_STORE_CTX_free...

The U in the output means that the relevant OpenSSL library is not statically linked with mod_ssl.

Other platforms

Similar checks for symbols work elsewhere. ldd is another way on many Unix-like platforms to determine where mod_ssl finds OpenSSL. depends can be used on Windows to see if mod_ssl.so relies on OpenSSL.

When to consult with vendors or other third parties

Contact a third-party supplier in the following situations to determine the applicability of CVE-2014-0160 to your server:

  • You obtain OpenSSL in binary form with or without Apache HTTP Server
  • You are using a commercial product based on Apache HTTP Server
  • You are otherwise using mod_ssl or a replacement for it from a third party
  • Build or installation of a third-party feature (e.g., mod_spdy) rebuilds mod_ssl

Revisions

2014-04-11
Correct the affected versions: 1.0.1 (without the a) is the earliest affected version. Mention explicitly that older versions are not affected. Suggested by Rainer Jung

No comments: