• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk and the heartbleed bug/ security vulnerability

Jean-PhilippeM

New Pleskian
As some of you might know, a bug has been discovered in the openssl libraries, codenamed heartbleed. This bug creates a security vulnerability where an attacker may obtain information from a server through heartbeat requests. You can find more information about the bug here :

https://heartbleed.com/

I am in the process of patching all our servers with the latest version of openssl and I notice that the update process does not seem to work properly on plesk servers. By updating openssl, I am able to fix the security breach on port 443, as it's apache's SSL port. However, this does not seem to fix the issue on port 8443, even if I restart the psa service. Does Plesk use its own custom openssl libraries? Otherwise, I do believe that the openssl update should have fixed the problem for Plesk too.
 
After restart my webs won't work. I set the ssl certificates to the ips and webs again, but no luck. Only /usr/local/psa/admin/sbin/httpdmng --reconfigure-all works. After a new reboot the problem persists.
 
Plesk is not affected (as it uses statically linked with invulnerable version) however we strongly recommend update system library as well because other services on your server might use it.
 
OpenSSL was vulnerable before. I tried this test: http://filippo.io/Heartbleed/ I am using Debian 7 on two servers. The other one got an update from Plesk last night and is not vulnerable anymore. So it looks like Plesk has fixed it, too, via update.
BUT I have the same problem on both servers now! No running websites after reboot and have to reconfigure again to have running websites again. And just till next reboot. There seems to be a problem with libssl! Plesk should please have a deeper look on Debian 7 systems running Plesk 11.5.
 
Plesk is not affected (as it uses statically linked with invulnerable version) however we strongly recommend update system library as well because other services on your server might use it.

Dear IgorG. Can you explain me why this test over your plesk 11.5 demo says it is vulnerable? Maybe you didm´t restart sw-cp-server?

You can go to http://filippo.io/Heartbleed/ and then enter plesk11.demo.parallels.com:8443
 
Last edited:
http://spblog.parallels.com/serviceprovider/2014/4/8/update-on-openssl-vulnerability#.U0W_8q2Sz8x

Multiple Parallels products are potentially affected by the 'Heartbleed Bug' because they are based or installed on operating systems impacted by the OpenSSL CVE-2014-0160 vulnerabilities.

The OpenSSL group has published a solution at http://heartbleed.com/.

Additionally, please review and take action outlined in these Knowledgebase articles:

For Parallels Automation: http://kb.parallels.com/en/120984
For Parallels Business Automation Standard: http://kb.parallels.com/en/120986
For Parallels Plesk Panel: http://kb.parallels.com/en/120990
For Virtualization products: http://kb.parallels.com/en/120989

================================================================

Yesterday a new vulnerability was announced in OpenSSL 1.0.1 that allows an attacker to reveal up to 64kb of memory to a connected server. Parallels is working to assess any product specific issues as a result of this OpenSSL vulnerability. We encourage everyone running a server that uses OpenSSL to upgrade to version 1.0.1g to be protected. For previous versions of OpenSSL, re-compiling with the OPENSSL_NO_HEARTBEATS flag enabled will protect against this vulnerability. We will provide any product-specific updates as they become available.
 
Does anyone know if this affects Plesk for Windows?

There isn't openssl on Windows.
Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.
 
Back
Top