Fórumok
Is Liferay affected by the openSSL bug (Heartbleed)
michael merker, módosítva 10 év-val korábban
Is Liferay affected by the openSSL bug (Heartbleed)
New Member Bejegyzések: 3 Csatlakozás dátuma: 2013.04.02. Legújabb bejegyzések
Hi
Just wanted to know if Liferay is affected by the openSSL bug (Heartbleed)?
If not, what kind of library is Liferay using for SSL?
Regards
Michael
Just wanted to know if Liferay is affected by the openSSL bug (Heartbleed)?
If not, what kind of library is Liferay using for SSL?
Regards
Michael
ritresh girdhar, módosítva 10 év-val korábban
RE: Is Liferay affected by the openSSL bug (Heartbleed)
Junior Member Bejegyzések: 67 Csatlakozás dátuma: 2011.07.15. Legújabb bejegyzések
Hi Michael
I am also exploring same thing , And what i come to know is that "its not related to any web-server or web applications". Its about the place whereever we
used OpenSSL tool , like for creating SSL certificate or some other openssl api we used. That can be effected .
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
https://wiki.bitnami.com/security/2014-04_Heartbleed_Bug
http://community.bitnami.com/t/heartbleed-and-bitnami/23497 .
I am also exploring same thing , And what i come to know is that "its not related to any web-server or web applications". Its about the place whereever we
used OpenSSL tool , like for creating SSL certificate or some other openssl api we used. That can be effected .
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
https://wiki.bitnami.com/security/2014-04_Heartbleed_Bug
http://community.bitnami.com/t/heartbleed-and-bitnami/23497 .
Sherry Bastion, módosítva 10 év-val korábban
RE: Is Liferay affected by the openSSL bug (Heartbleed)
New Member Bejegyzés: 1 Csatlakozás dátuma: 2013.07.24. Legújabb bejegyzések
Will someone from Liferay please issue a response?
James Falkner, módosítva 10 év-val korábban
RE: Is Liferay affected by the openSSL bug (Heartbleed) (Válasz)
Liferay Legend Bejegyzések: 1399 Csatlakozás dátuma: 2010.09.17. Legújabb bejegyzésekSherry Bastion:
Will someone from Liferay please issue a response?
Liferay itself does not contain OpenSSL, but many sites that use Liferay also use software to implement SSL that relies on OpenSSL, so depending on which version of OpenSSL you have, you might be vulnerable and need to update it (More information about how to know if you are affected and how to update is here). There's no patch for Liferay necessary though, just update OpenSSL and revoke/re-issue certs (and invalidate HTTP/HTTPS sessions, and so on, as described on the heartbleed page).
Liferay.com was also affected by this (see the Liferay security statement). The servers have all been updated, and we are in the process of revoking/re-issuing the SSL certs as an added precaution. There's no evidence of a breach (although this particular vulnerability doesn't leave a trace, so that's not saying much). Once the certs are updated (hopefully very soon, like in the next few days), you'll want to change your password (but not before that). We are going to send out more announcements once this is done instructing users of liferay.com what to do. I'll post here as well once it's done.
David H Nebinger, módosítva 10 év-val korábban
RE: Is Liferay affected by the openSSL bug (Heartbleed) (Válasz)
Liferay Legend Bejegyzések: 14919 Csatlakozás dátuma: 2006.09.02. Legújabb bejegyzések
To clarify, Liferay itself is not affected, but your application container may be.
I tested my site using http://filippo.io/Heartbleed and found I was affected. Updated SSL on my gentoo box, restarted apache httpd & tomcat, and I was no longer affected.
I tested my site using http://filippo.io/Heartbleed and found I was affected. Updated SSL on my gentoo box, restarted apache httpd & tomcat, and I was no longer affected.
Jack Bakker, módosítva 10 év-val korábban
RE: Is Liferay affected by the openSSL bug (Heartbleed)
Liferay Master Bejegyzések: 978 Csatlakozás dátuma: 2010.01.03. Legújabb bejegyzésekDavid H Nebinger:
http://filippo.io/Heartbleed
above is good, also you can do below command on linux to check version of OpenSSL
curl --head http://my.domain.ca
on linux distro/versions where latest openssl 1.0.1g is avail for the release, then an 'apt-get upgrade openssl' then restart of apache can do the trick, there are older linux that requires from source, and then even older linux that aren't even affected...
Windows apache is pain tho as openssl lib is embedded Apache distro package... there is a Windows with OpenSSL v1.0.1g here: http://www.apachelounge.com/download/additional/ ; but takes a reinstall of Apache and then also perhaps a mod_jk update to match with Tomcat
--
of course I am referencing for those using apache in front of Tomcat
Jack Bakker, módosítva 10 év-val korábban
RE: Is Liferay affected by the openSSL bug (Heartbleed)
Liferay Master Bejegyzések: 978 Csatlakozás dátuma: 2010.01.03. Legújabb bejegyzések
It's a real bug, but really I suspect most are not victim to any compromise ; don't know really. But now that almost everyone knows including criminals looking to take advantage on this : fix it first (and soon), revoke/reissue certs, change passwords, and monitor for breach (as anyone should do anyways on an ongoing basis).