As you might have seen on the OpenSSL update stream and new update for OpenSSL was release to address the SSL/TLS MITM vulnerability.

As stated in the update stream:

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and 
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

As you might know its a bit hard to know what version of OpenSSL needs to be installed on CentOS to make sure you are covered.

Looking at the RedHat update stream site and then the actual Bug Report you can see that the version we need is

openssl   1.0.1e-16.el6_5.14

So simply log into your server and run the following commands making sure you install version 1.0.1e-16.el6_5.14

yum clean all
yum check update
yum install openssl
SOLVED: CentOS OpenSSL SSL/TLS MITM vulnerability – Virtualmin – Update Version 1.0.1e-16.el6_5.14 – (CVE-2014-0224)
Tagged on:                                                     

Leave a Reply

Your email address will not be published. Required fields are marked *

One thought on “SOLVED: CentOS OpenSSL SSL/TLS MITM vulnerability – Virtualmin – Update Version 1.0.1e-16.el6_5.14 – (CVE-2014-0224)

  • The report clearly tells all users on openssl 1.0.1 to upgrade to 1.0.1h

    “OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h”
    ^
    So why are you telling them openssl 1.0.1e-16.el6_5.14 is okay?
    ^
    See the ‘e’ there?