OpenSSL heartbleed CVE-2014-0160 – Data leaks make my heart bleedDavid Busby
The heartbleed bug was introduced in OpenSSL 1.0.1 and is present in
The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8 branch of OpenSSL some sources report 1.0.2-beta is also affected by this bug at the time of writing, however it is a beta product and I would really recommend not to use beta quality releases for something as fundamentally important as OpenSSL in production.
The bug itself is within the heartbeat extension of OpenSSL (RFC6520). The bug allows an attacker to leak the memory in up to 64k chunks, this is not to say the data being leaked is limited to 64k as the attacker can continually abuse this bug to leak data, until they are satisfied with what has been recovered.
At worst the attacker can retrieve the private keys, the implications for which is that the attacker now has the keys to decrypt the encrypted data, as such the only way to be 100% certain of protection against this bug is to first update OpenSSL (>= 1.0.1g) and then revoke and regenerate new keys and certificates, expect to see a tirade of revocations and re-issuing of CA certs and the like in the coming days.
So how does this affect you as a MySQL user?
Taking Percona Server as an example, this is linked against OpenSSL, meaning if you want to use TLS for your client connections and/or your replication connections you’re going to need to have openSSL installed.
You can find your version easily via your package manager for example:
- rpm -q openssl
- dpkg-query -W openssl
If you’re running a vulnerable installation of OpenSSL an update will be required.
- update OpenSSL >= 1.0.1g
- 1.0.1e-2+deb7u5 is reported as patched on debian,
- 1.0.1e-16.el6_5.7 is reported as patched in RedHat
- 1.0.1e-16.el6_22.214.171.124.centos is reported as being an interim patch for CentOS from the updates repository this is superseded by the RedHat package where available.
- 1.0.1e-37.66 changelogs note this has been patched on Amazon AMI
- shutdown mysqld
- regenerate keys and certs used by mysql for TLS connections (revoking the old certs if possible to do so)
- start mysqld
UPDATE 2014-04-10: This video provides a fantastic description on heartbleed