Join the community today
Register Now

Nginx NGINX and the Heartbleed vulnerability

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, May 25, 2014.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Are NGINX or NGINX Plus vulnerable to the Heartbleed OpenSSL vulnerability?


    The Heartbleed bug (heartbleed.org, OpenSSL advisory) is a serious vulnerability in the popular OpenSSL cryptographic software library, announced on 7 April 2014. It allows access to up to 64kb of internal memory in affected servers, and this may disclose sensitive information including SSL private keys.

    The bug was introduced in OpenSSL 1.0.1, and is resolved in version 1.0.1g and later releases. Anyone running NGINX or NGINX Plus with an affected OpenSSL implementation should upgrade their OpenSSL library immediately and verify that NGINX is using the updated version.

    NGINX Plus

    NGINX Plus is the commercially-supported version of NGINX, adding load balancing, high-availability and management features.

    Read more...


    Does your NGINX install use your OS vendor’s instance of OpenSSL?


    NGINX builds provided by Nginx or through a third party repository are usually dynamically linked to the operating system’s instance of libssl.so:

    $ ldd `which nginx` | grep ssl

    libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f82e62bf000)

    In this case, you can verify the precise version of openssl as follows (note that the library name does not contain the exact version number):

    $ strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep "^OpenSSL "
    OpenSSL 1.0.1f 6 Jan 2014



    Output on your system may vary. You can also run ‘openssl version‘, although this may give incorrect results if there are several instances of OpenSSL on your server.

    If you are running an affected version of libssl (or even if you are not) you should upgrade to the latest openssl build provided by your operating system vendor, and then restart the NGINX software so that it uses the updated library. Check your vendor’s response to CVE-2014-0160 to determine the correct upgrade process; for example:


    Please note that some Linux operating systems vendors have released fixed packages that still bear the OpenSSL 1.0.1e name. Even though the OpenSSL project released 1.0.1g as their newest software, downstream Linux providers have in some cases elected to include just the fix for CVE-2014-0160 in their packages in order to provide a small update quickly.

    Does your NGINX install use a statically-linked instance of OpenSSL?


    If you have compiled nginx yourself, you may have statically linked the openssl libraries. The ldd test will reveal no dependencies on the operating system libssl.so library. nginx -V will give you the compile-time options which should reveal the options you used:

    $ ./objs/nginx -V

    nginx version: nginx/1.5.11

    built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)

    configure arguments: --with-cc-opt=-I../openssl-1.0.1f/include
    --with-ld-opt='-L../openssl-1.0.1f -Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic -ldl'
    --with-openssl=../openssl-1.0.1f


    If you are using a vulnerable version of openssl, you will need to recompile NGINX using a fixed version, or recompile openssl using the -DOPENSSL_NO_HEARTBEATS option and then recompile NGINX.

    The post NGINX and the Heartbleed vulnerability appeared first on NGINX.

    Continue reading...
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    first large scale exploit via heartbleed US hospital breach biggest yet to exploit Heartbleed bug

     
  3. Peter Downey

    Peter Downey Member

    64
    24
    8
    May 28, 2014
    Ratings:
    +27
    Local Time:
    11:24 AM
    I'm mentally prepared for the onslaught of leaks that haven't been discovered yet. You just know that some nasty groups took advantage of the bug early on, or before it went public, stole some serious data and are now just sitting on it.
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Indeed, but this digital invasion to exploit user identity info isn't all there is. Folks are still just as vulnerable if they leave their physical letter boxes unsecured and still receive government type letters with the accompanying user details like social security numbers, bank account numbers, date of birth record etc.