Heartbleed: OpenSSL Vulnerability

Discussion in 'Masalah Teknik dan Keamanan' started by handris, 9 Apr 2014.

Thread Status:
Not open for further replies.
  1. handris

    handris Apprentice 1.0

    Messages:
    315
    Likes Received:
    48
    Trophy Points:
    28
    Hari ini saya membaca banyak berita tentang Open SSL Heartbleed Vulnerability. Yang intinya terdapat bug parah pada keamanan openssl.

    Beberapa security advisor sangat menyarankan untuk segera melakukan patch versi terbaru open ssl. Dan mengganti semua yang berhubungan dengan password dengan karakter yang lebih kuat.

    Beritanya di BBC: http://www.bbc.com/news/technology-26935905
    Security advisor dari openssl : https://www.openssl.org/news/secadv_20140407.txt

    Salah satu tools online untuk pengecekan, apakah openSSL Anda tidak berpotensi pada bug ini adalah : http://filippo.io/Heartbleed/
     
    BikinDesainSitus and junior riau like this.
  2. junior riau

    junior riau Hosting Guru Web Hosting

    Messages:
    3,232
    Likes Received:
    515
    Trophy Points:
    113
    kalau hostingan gimana cek nya?
    Tadi masukin hostname:443
     
  3. junior riau

    junior riau Hosting Guru Web Hosting

    Messages:
    3,232
    Likes Received:
    515
    Trophy Points:
    113
    OpenSSL> version
    OpenSSL 1.0.1g 7 Apr 2014
    OpenSSL> exit

    nah nah update :D
     
  4. pedagang

    pedagang Expert 1.0

    Messages:
    674
    Likes Received:
    109
    Trophy Points:
    43
    # iya nih, provider vps saya juga melakukan maintenence terkait dg itu, semalam down beberapa menit
     
  5. handris

    handris Apprentice 1.0

    Messages:
    315
    Likes Received:
    48
    Trophy Points:
    28
    Kalau port SSL nya default (443) tidak dimasukkan sudah otomatis kedetect bro
     
  6. junior riau

    junior riau Hosting Guru Web Hosting

    Messages:
    3,232
    Likes Received:
    515
    Trophy Points:
    113
    sudah update ke versi 1.0.1g kok katanya masih vuln ya o_O

    [update]
    server need reboot :104::104:
    jangan lupa yaa:113::113:
     
    Last edited: 9 Apr 2014
  7. thelor

    thelor Beginner 2.0

    Messages:
    18
    Likes Received:
    2
    Trophy Points:
    3
    dari baca-baca forum, sepertinya tidak butuh reboot, hanya stop/start proses saja (semua proses yang make openssl).
    - http://forums.cpanel.net/f185/openssl-heartbleed-bug-1-0-1g-encryption-keys-risk-401511.html
    - http://www.webhostingtalk.com/showthread.php?t=1364373&page=3

    cek buat mastiin openssl sudah path update,

    # rpm -qa |grep openssl
    openssl-devel-1.0.1e-16.el6_5.7.x86_64
    openssl-1.0.1e-16.el6_5.7.x86_64
    # rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
    * Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
    - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
     
  8. junior riau

    junior riau Hosting Guru Web Hosting

    Messages:
    3,232
    Likes Received:
    515
    Trophy Points:
    113
    ho mungkin restart apache kali ya :p
    gak kepikiran :D
    http://heartbleed.com/
    bagian ini

    What versions of the OpenSSL are affected?
    Status of different versions:

    • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable <======
    • OpenSSL 1.0.1g is NOT vulnerable
    • OpenSSL 1.0.0 branch is NOT vulnerable
    • OpenSSL 0.9.8 branch is NOT vulnerable
    Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.


    1.0.1e termasuk dalam rentang 1.0.1 - 1.0.1f
     
  9. thelor

    thelor Beginner 2.0

    Messages:
    18
    Likes Received:
    2
    Trophy Points:
    3
    lebih baik (katanya) pake command stop dan start, bukan restart, untuk memastikan semua proses yang make sudah terminate.
    - http://www.webhostingtalk.com/showpost.php?s=ba0ca0fdcbb3d668d85196d352d83be5&p=9076100&postcount=44

    wah kurang tau juga, tapi lihat changelognya sepertinya sudah update path untuk issue ini.
    # rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
    * Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
    - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

    CL juga release update
    - http://www.cloudlinux.com/blog/clnews/464.php
     
  10. junior riau

    junior riau Hosting Guru Web Hosting

    Messages:
    3,232
    Likes Received:
    515
    Trophy Points:
    113
    nah kalau aku sih pake nya 1.0.1g saja yang latest latest
     
Loading...
Thread Status:
Not open for further replies.

Share This Page

Loading...