CVE-2014-0224: Security vulnerability in OpenSSL

Created:

2016-11-16 12:44:20 UTC

Modified:

2017-04-24 11:04:52 UTC

0

Was this article helpful?


Have more questions?

Submit a request

CVE-2014-0224: Security vulnerability in OpenSSL

Applicable to:

  • Plesk

Information

The OpenSSL group has issued a vulnerability alert on June 5, 2014. You can find more information about CVE-2014-0224 at the Open SSL website.

Fix was provided for versions 0.9.8, 1.0.0 and 1.0.1:

  • OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
  • OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

For Windows

This affects Parallels Containers for Windows with installed Parallels Dispatcher for management by PACI, and few components are compiled with vulnerable OpenSSL version. Updated OpenSSL will be included in the next hotfix.

For Linux

This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using one of the following distributions:

  • Debian Wheezy (stable) (vulnerable OpenSSL 1.0.1e-2+deb7u7 and older , fixed in OpenSSL 1.0.1e-2+deb7u10 )
  • Ubuntu 14.04 LTS (vulnerable OpenSSL 1.0.1f-1ubuntu2.1 and older , fixed in OpenSSL 1.0.1f-1ubuntu2.2 )
  • Ubuntu 13.10 (vulnerable OpenSSL 1.0.1e-3ubuntu1.3 and older , fixed in OpenSSL 1.0.1e-3ubuntu1.4 )
  • Ubuntu 12.04 LTS (vulnerable OpenSSL 1.0.1-4ubuntu5.13 and older , fixed in OpenSSL 1.0.1-4ubuntu5.14 )

    The package version for Debian/Ubuntu can be checked using the command:

    ~# dpkg -l openssl
  • RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.7 and older , fixed in OpenSSL 1.0.1e-16.el6_5.14 )

  • Fedora 19 (fixed in OpenSSL 1.0.1e-38.fc19 )
  • Fedora 20 (fixed in OpenSSL 1.0.1e-38.fc20 )

    The package version for Redhat/CentOS and Fedora can be checked using the command:

    ~# rpm -q openssl

Resolution

Hardware node update

Operating system vendors have issued fixes, which have been incorporated by all major distributions. You must apply OpenSLL updates by installing new openssl package version:

~# yum clean all; yum update openssl

Note: PSBM, PCS and PVC for Windows use SSL for internal communication with Dispatcher only, this significantly decreases risk of compromise but anyway it is highly recommended to apply fixes for SSL as it might be used by some other 3rd party services.

PVA Power Panel and PVA MN

Parallels Virtual Automation uses not vulnerable version of OpenSSL, and also it uses system OpenSSL for web-based services via Apache.

PVA Power Panel uses Apache web-server running on the host, update OpenSSL and restart of Apache on the hardware node is needed:

~# service httpd restart

PVA Management Node uses Apache and OpenSSL of the system it is installed into, update the installation according to its type and restart services:

  • in a container:

    ~# vzctl update CTID
  • in a virtual machine or on a physical server:

    ~# yum clean all; yum update

Applying fix to containers

  1. For existing containers:

    ~# vzpkg update CTID

    or a single package specifically:

    ~# vzpkg install CTID -p openssl
  2. Operating system template cache(s) should be recreated:

    ~# vzpkg update cache DISTR-VER-ARCH

After the update is applied all the services relying on OpenSSL should be restarted:

  • Restart SSH server, OpenVPN, Apache.
  • Restart any other services running on the host operating system dependent on OpenSSL.
Have more questions? Submit a request
Please sign in to leave a comment.