SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1 through 1.0.1f are vulnerable to CVE-2014-0160, the so called “Heartbleed Bug.” (OpenSSL versions smaller than 1.0.1, such as 0.9.8 and 1.0.0, are safe.)
No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server configuration change besides disabling SSL/TLS completely can resolve this. (SSLv2 and SSLv3 are not vulnerable to CVE-2014-0160, but limiting the configuration to one or both of those protocols is not recommended because of other security concerns.) Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required.
In some cases OpenSSL may be statically linked with mod_ssl. httpd and mod_ssl must be rebuilt with the updated OpenSSL when OpenSSL is statically linked with mod_ssl. Note: The build of mod_spdy may rebuild mod_ssl in this manner.
If you build OpenSSL yourself, refer to the OpenSSL project for further information, including the advisory at http://www.openssl.org/news/secadv_20140407.txt.
Checking for mod_ssl statically linked with OpenSSL
Linux
$ nm /path/to/httpd/modules/mod_ssl.so | grep X509_STORE_CTX_free
U X509_STORE_CTX_free...
The “U” in the output means that the relevant OpenSSL library is not statically linked with mod_ssl.
Other platforms
Similar checks for symbols work elsewhere. ldd is another way on many Unix-like platforms to determine where mod_ssl finds OpenSSL. depends can be used on Windows to see if mod_ssl.so relies on OpenSSL.
When to consult with vendors or other third parties
Contact a third-party supplier in the following situations to determine the applicability of CVE-2014-0160 to your server:
- You obtain OpenSSL in binary form with or without Apache HTTP Server
- You are using a commercial product based on Apache HTTP Server
- You are otherwise using mod_ssl or a replacement for it from a third party
- Build or installation of a third-party feature (e.g., mod_spdy) rebuilds mod_ssl
Revisions
- 2014-04-11
- Correct the affected versions: 1.0.1 (without the “a”) is the earliest affected version. Mention explicitly that older versions are not affected. Suggested by Rainer Jung