Plesk and the heartbleed bug/ security vulnerability

[Jean-PhilippeM]

As some of you might know, a bug has been discovered in the openssl libraries, codenamed heartbleed. This bug creates a security vulnerability where an attacker may obtain information from a server through heartbeat requests. You can find more information about the bug here :

https://heartbleed.com/

I am in the process of patching all our servers with the latest version of openssl and I notice that the update process does not seem to work properly on plesk servers. By updating openssl, I am able to fix the security breach on port 443, as it's apache's SSL port. However, this does not seem to fix the issue on port 8443, even if I restart the psa service. Does Plesk use its own custom openssl libraries? Otherwise, I do believe that the openssl update should have fixed the problem for Plesk too.

 

[TSCADFX]

You also need to run:

service sw-cp-server restart

We have a documented upgrade proceedure on our website for those looking to protect Plesk: How to Update Plesk for the Heartbleed Bug

 

[GuidoK]

After restart my webs won't work. I set the ssl certificates to the ips and webs again, but no luck. Only /usr/local/psa/admin/sbin/httpdmng --reconfigure-all works. After a new reboot the problem persists.

 

[IgorG]

Plesk is not affected (as it uses statically linked with invulnerable version) however we strongly recommend update system library as well because other services on your server might use it.

 

[GuidoK]

OpenSSL was vulnerable before. I tried this test: http://filippo.io/Heartbleed/ I am using Debian 7 on two servers. The other one got an update from Plesk last night and is not vulnerable anymore. So it looks like Plesk has fixed it, too, via update.
BUT I have the same problem on both servers now! No running websites after reboot and have to reconfigure again to have running websites again. And just till next reboot. There seems to be a problem with libssl! Plesk should please have a deeper look on Debian 7 systems running Plesk 11.5.

 

[IgorG]

It was fixed by Debian since April 7 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883
Package in repo already - https://packages.debian.org/wheezy/openssl
Fix is available since version openssl-1.0.1e-2+deb7u5

 

[GuidoK]

OpenSSL advises to update to G: https://www.openssl.org/news/secadv_20140407.txt
And there is still a problem after rebooting now. Webs won't work until reconfiguring.

 

[Lloyd_mcse]

Qualys has added "Heartbleed" to their tests...

https://www.ssllabs.com/ssltest/index.html

 

[SalvadorS]

Plesk is not affected (as it uses statically linked with invulnerable version) however we strongly recommend update system library as well because other services on your server might use it.

Dear IgorG. Can you explain me why this test over your plesk 11.5 demo says it is vulnerable? Maybe you didm´t restart sw-cp-server?

You can go to http://filippo.io/Heartbleed/ and then enter plesk11.demo.parallels.com:8443

 

[TSCADFX]

Dear IgorG. Can you explain me why this test over your plesk 11.5 demo says it is vulnerable? Maybe you didm´t restart sw-cp-server?

You can go to http://filippo.io/Heartbleed/ and then enter plesk11.demo.parallels.com:8443

Most likely because they haven't updated OpenSSL. The issue is not a Plesk issue as IgorG points out. It's an issue with OpenSSL.

 

[IgorG]

http://spblog.parallels.com/serviceprovider/2014/4/8/update-on-openssl-vulnerability#.U0W_8q2Sz8x

Multiple Parallels products are potentially affected by the 'Heartbleed Bug' because they are based or installed on operating systems impacted by the OpenSSL CVE-2014-0160 vulnerabilities.

The OpenSSL group has published a solution at http://heartbleed.com/.

Additionally, please review and take action outlined in these Knowledgebase articles:

For Parallels Automation: http://kb.parallels.com/en/120984
For Parallels Business Automation Standard: http://kb.parallels.com/en/120986
For Parallels Plesk Panel: http://kb.parallels.com/en/120990
For Virtualization products: http://kb.parallels.com/en/120989

================================================================

Yesterday a new vulnerability was announced in OpenSSL 1.0.1 that allows an attacker to reveal up to 64kb of memory to a connected server. Parallels is working to assess any product specific issues as a result of this OpenSSL vulnerability. We encourage everyone running a server that uses OpenSSL to upgrade to version 1.0.1g to be protected. For previous versions of OpenSSL, re-compiling with the OPENSSL_NO_HEARTBEATS flag enabled will protect against this vulnerability. We will provide any product-specific updates as they become available.

 

[Mr Fett]

Does anyone know if this affects Plesk for Windows?

 

[IgorG]

Does anyone know if this affects Plesk for Windows?

There isn't openssl on Windows.
Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.

 

[Mr Fett]

Thanks IgorG - I wasn't sure if the library might be running in a linux flavour system running on windows (e.g. Apache, etc.)

(Just for the record, I've programmed with OpenSSL in native windows environements: http://slproweb.com/products/Win32OpenSSL.html) - not for a long time though!