Select Category
Sitemap Help Contact
print article

OpenSSL Heartbleed Bug

For customers with 1&1 Dedicated Server, 1&1 Virtual Private Server, 1&1 Dynamic Cloud Server
What is Heartbleed?

The Heartbleed bug is one of the most serious security flaws discovered in the OpenSSL encryption library. This vulnerability was caused by a programming error made during the implementation of a new feature in the OpenSSL TLS protocol.

This vulnerability affects a key component of the system that provides a secure connection, allowing others to read your encrypted data. This means: a hacker then has the ability to read keys, passwords and other secret data.

Which servers/ types of services are affected?

This primarily affects all Internet servers that use OpenSSL encryption. Not only webservers, but often also those used for E-mail, Plesk, VPN and other services.

What versions of OpenSSL are affected?

The security gap affects OpenSSL versions starting from 1.0.1, up to 1.0.1f.

If one of the OpenSSL versions named above is installed on your server, we strongly recommend you run an update. Most operating systems already offer an update.

Not affected are:

  • OpenSSL Versions 1.0.1g, OpenSSL 1.0.0 and OpenSSL 0.9.8
  • Customers with a 1&1 WebHosting package (Shared Hosting) or a 1&1 Managed Server.


How do I know if my 1&1 server has been attacked?

By default, OpenSSL is installed on all Linux distributions. You can find the version installed on your server by using the following Shell command:

root@s12345678:/etc# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 7 20:33:29 UTC 2014
platform: debian-amd64
Please note:
The version number displayed above merely indicates if your version could be vulnerable to the bug, but does not determine if it was in fact affected.
The crucial piece of information here is the date next to 'built on'. If the date is the 7th of April 2014 or later, then your version already contains the bug fix.

You can check your server's vulnerability for HTTPS by entering its URL at the following site:

What can I do if my server is affected by the bug?
  • Update your system as soon as possible. Most Linux distributions already offer security updates that can be performed using the standard repositories.
  • Replace or renew your SSL certificate. Unfortunately, it cannot be ruled out that data or keys have already been read.
Please note:
We recommend that you read the information on http://heartbleed.com/.

Depending on the system, you can use the following commands to perform the update:

Debian/Ubuntu:

apt-get update; apt-get install

CentOS:

yum update

OpenSUSE:

zypper update
Please note:
After the update, all services using the SSL libraries must be restarted. Should you be unsure, we recommend a complete restart of the whole server.
For additional information, you may want to reference: