Heartbleed and Magento – how to fix!

Heartbleed Magentp

The Heartbleed Bug is a serious vulnerability recently discovered in the widely used OpenSSL cryptographic software library. Although OpenSSL is not directly used in Magento, it’s used on many web servers Magento is run on, providing support for secure (!) connections and transmission of sensitive data. In short – if your Magento website is properly configured, it’s very likely that your checkout process utilizes OpenSSL library at some point. Concerned?! You should be…

Heartbleed bug allows stealing of the information protected by the SSL/TLS encryption used to secure checkout process on, under normal circumstances, properly configured Magento store. Yes, it’s scary as it sounds, and yes – vulnerability is global and widespread, but don’t panic (just yet ;-)).

More information can be found in this nice video by Elastica security.

 
Many hosting providers have upgraded OpenSSL library, thus eliminating possible exploitation of the bug – but perform a check on your own.

1. Check for vulnerability

There are few online sites/tools that can be used to check whether your Magento site is affected by Heartbleed vulnerability:

http://filippo.io/Heartbleed/

http://possible.lv/tools/hb/

https://heartbleed.hostgator.com/

2. How to fix?

Upgrade your OpenSSL library, or force your hosting provider to do so (if not yet done).

2.1. if you manage your own server, perform openssl update

yum update openssl

or

apt-get upgrade openssl

Important: restart ALL your services that use openSSL [httpd, webmin, postfix, openvpn, etc.]

2.2. if you have SSH access to your server, but don’t manage your server, check:

your openssl version:

openssl version -a

look for built on: date, if it is past 7th of April 2014. – you should be safe

2014_04_09_openssl-check-version

3. What next?

There is no way to know if your site has been affected or exploited with this bug, so as a measure of precaution you should change all relevant passwords on your site and update all your SSL keys.

More info on Heartbleed bug can be found over here


About Drazen Karacic-Soljic

eCommerce Consultant

Cacan is an eCommerce Consultant at Inchoo, where he's monitoring key performance indicators of client's online store and suggesting improvements.

Read more posts by Drazen / Visit Drazen's profile

8 comments

  1. It’s not just this particular server, but all CentOS, Fedora, RedHat, and many other distros that still haven’t pushed official OpenSSL 1.0.1g into their repos.

    Those who don’t know how to compile by themselves might end up waiting for an official 1.0.1g release in the repo, not knowing that there’s patched version sitting in front of them (but labeled as < 1.0.1g). 🙂 Yes, you are right that build date by itself is not an indication, but we can be pretty sure that build date *in official repo* could be extremely strong signal that we are talking about patched (earlier) version. 🙂

  2. I understand, that your server may be covered, and does not require any updates.

    The recommendation to check the build date in the post above doesn’t make a good service to the user though.

    It may just give them false feeling of security, unless of course, they know that a particular distro on that web-server that they have no management access to is CentOS 6.5 and updates come in the form of binary packages through official CentOS repository. If they do not posses this extra knowledge, it seems more reasonable to stick only to the facts they know for sure. The build date by itself is not an indication of whether the appropriate patch was applied to this vulnerable version of OpenSSL.

  3. Hi Michael,

    thank you for your comment. While 1.0.1g is an official OpenSSL release with patch applied, it might take some time before 1.0.1g hits repos as stable, therefore many distros decided to release patched previous/latest stable OpenSSL version – as is the case for Centos 6.5 (image).

  4. Build date is irrelevant. If you’re vulnerable, upgrade to v1.0.1g then revoke and reissue your x.509 key pairs.

  5. For Ubuntu, apt-get update takes no arguments:

    E: The update command takes no arguments

  6. Version 1.0.1e that you show on the screenshot IS vulnerable regardless of what happens to be a compilation date. Please check the “What versions of the OpenSSL are affected?” section on the heartbleed.com website that you refer to, and upgrade your OpenSSL to version 1.0.1g.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <blockquote cite=""> <code> <del datetime=""> <em> <s> <strike> <strong>. You may use following syntax for source code: <pre><code>$current = "Inchoo";</code></pre>.