Server admins, security experts, and the world wide web were caught by surprise with the announcement of the Heartbleed exploit. In a nutshell, Heartbleed is a bug in the open source Linux encryption software known as openSSL. The flaw allows hackers to potentially steal un-encrypted data right from the in-use memory of the openSSL software; the very software that is supposed to protect sensitive data.
This vulnerability has been lurking in the wild for a couple of years, and nobody knows exactly how much damage has been done. One of the distressing aspects of Heartbleed bug: It leaves no evidence. It’s impossible to assess if the exploit was actually used or data was stolen from a given server.
And that’s a headache for the Internet. A big one. openSSL is widely used, not just on web servers, but on all kinds of devices that depend on open source variants of Linux. Routers. Phones. Even your smart TV could be vulnerable: Do NOT use a smart appliance for any web transactions until you’ve contacted the manufacturer and verified that your Internet appliance is not vulnerable, or that a software update is available to correct the bug and you are able to successfully update your appliance with that update.
For Linux Plesk administrators, the fix is fairly easy: Update SSL from the distribution repository. The example below is shown for CentOS, using a root login. For other variations of Linux, see the package management repository for your specific version for the required commands to update openSSL.
Update openSSL from the CentOS repository using yum:
# yum update openssl
Restart Apache:
# service httpd restart
If you are using nginx, restart it:
# service nginx restart
Restart Plesk:
# service sw-cp-server restart
That’s should do it. Then test your server for the Heartbleed vulnerability.
The most disruptive aspect of Heartbleed is the inability to detect intrusions. Nobody knows what may have been stolen. Caution is the best course of action here. Conventional wisdom is to change all critical passwords. Certainly, at least the root and Plesk admin passwords for your server(s). Some experts are also recommending replacing any current SSL certificates currently in place. You’ll have to use your own good judgment to assess the vulnerability of your server.
A note for Plesk for Windows administrators: You should be safe. IIS doesn’t use openSSL. However, don’t presume that no software on your Windows server uses openSSL. Test the server to verify no vulnerability exists.