Heartbleed and Magento – how to fix!

The Heartbleed Bug is a serious vulnerability recently discovered in the widely used OpenSSL cryptographic software library. Although OpenSSL is not directly used in Magento, it’s used on many web servers Magento is run on, providing support for secure (!) connections and transmission of sensitive data. In short – if your Magento website is properly configured, it’s very likely that your checkout process utilizes OpenSSL library at some point. Concerned?! You should be…

Heartbleed bug allows stealing of the information protected by the SSL/TLS encryption used to secure checkout process on, under normal circumstances, properly configured Magento store. Yes, it’s scary as it sounds, and yes – vulnerability is global and widespread, but don’t panic (just yet ;-)).

More information can be found in this nice video by Elastica security.

Many hosting providers have upgraded OpenSSL library, thus eliminating possible exploitation of the bug – but perform a check on your own.

1. Check for vulnerability

There are few online sites/tools that can be used to check whether your Magento site is affected by Heartbleed vulnerability:




2. How to fix?

Upgrade your OpenSSL library, or force your hosting provider to do so (if not yet done).

2.1. if you manage your own server, perform openssl update

yum update openssl


apt-get upgrade openssl

Important: restart ALL your services that use openSSL [httpd, webmin, postfix, openvpn, etc.]

2.2. if you have SSH access to your server, but don’t manage your server, check:

your openssl version:

openssl version -a

look for built on: date, if it is past 7th of April 2014. – you should be safe


3. What next?

There is no way to know if your site has been affected or exploited with this bug, so as a measure of precaution you should change all relevant passwords on your site and update all your SSL keys.

More info on Heartbleed bug can be found over here

You made it all the way down here so you must have enjoyed this post! You may also like:

PCI compliance with Magento a.k.a. how to compile Solr from source Marko Martinovic
Marko Martinovic, | 2

PCI compliance with Magento a.k.a. how to compile Solr from source

Validate your input, Magento style Branko Ajzele
Branko Ajzele, | 20

Validate your input, Magento style

Adding extra security to the Magento’s admin “Forgot your password?” Branko Ajzele
Branko Ajzele, | 17

Adding extra security to the Magento’s admin “Forgot your password?”


  1. It’s not just this particular server, but all CentOS, Fedora, RedHat, and many other distros that still haven’t pushed official OpenSSL 1.0.1g into their repos.

    Those who don’t know how to compile by themselves might end up waiting for an official 1.0.1g release in the repo, not knowing that there’s patched version sitting in front of them (but labeled as < 1.0.1g). 🙂 Yes, you are right that build date by itself is not an indication, but we can be pretty sure that build date *in official repo* could be extremely strong signal that we are talking about patched (earlier) version. 🙂

  2. I understand, that your server may be covered, and does not require any updates.

    The recommendation to check the build date in the post above doesn’t make a good service to the user though.

    It may just give them false feeling of security, unless of course, they know that a particular distro on that web-server that they have no management access to is CentOS 6.5 and updates come in the form of binary packages through official CentOS repository. If they do not posses this extra knowledge, it seems more reasonable to stick only to the facts they know for sure. The build date by itself is not an indication of whether the appropriate patch was applied to this vulnerable version of OpenSSL.

  3. Hi Michael,

    thank you for your comment. While 1.0.1g is an official OpenSSL release with patch applied, it might take some time before 1.0.1g hits repos as stable, therefore many distros decided to release patched previous/latest stable OpenSSL version – as is the case for Centos 6.5 (image).

  4. Build date is irrelevant. If you’re vulnerable, upgrade to v1.0.1g then revoke and reissue your x.509 key pairs.

  5. Version 1.0.1e that you show on the screenshot IS vulnerable regardless of what happens to be a compilation date. Please check the “What versions of the OpenSSL are affected?” section on the heartbleed.com website that you refer to, and upgrade your OpenSSL to version 1.0.1g.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <blockquote cite=""> <code> <del datetime=""> <em> <s> <strike> <strong>. You may use following syntax for source code: <pre><code>$current = "Inchoo";</code></pre>.

Tell us about your project

Drop us a line. We'd love to know more about your project.