OpenSSL update for PCI Compliance on cPanel
Of the various support requests I have received recently, a few have been from customers wanting to upgrade OpenSSL on a cPanel server. The reason being the latest PCI compliance tests are reporting a vulnerability in the version of OpenSSL installed on their server. Well, depending on your setup, this may be a false positive.
The PCI report may report something like “The remote web server is running a version of OpenSSL older than 1.0.0c“. It will then go on to list the vulnerabilities in versions before 1.0.0c. What you must look for are the “CVE”(Common Vulnerabilities and Exposures) numbers of those vulnerabilities. e.g CVE-2010-0742, CVE-2010-1633 etc.
What you must understand is that PCI is assuming OpenSSL on your server is vulnerable based on the version number of OpenSSL on your server. Its not just for OpenSSL, but for any package PCI tests on your server. What you must know is that many, if not all, Linux distributions backport security patches to older versions of a package. So even though the version number of OpenSSL is older than 1.0.0c, it does not mean the mentioned vulnerability exists on your server. To check if the version of OpenSSL, or any other package, has already been patched for the mentioned vulnerability you can use the following command:
rpm -q --changelog pkgname>>changelog.txt
Where you must replace pkgname with the name of the package you want to check. In this case it would be “
rpm -q --changelog openssl>>changelog.txt“. This will output the list of CVE patches made to that version of openssl to a file called changelog.txt. You then just have to search that file for the CVE numbers mentioned in the PCI report. If they are there, then OpenSSL on your server has already been patched. You can forward these details to PCI and inform them that it is a false positive.
Now what if you don’t find the CVE number in the change log? First you need to use your package management software(yum, up2date, etc) and check for updates for your package. Apply any updates and then check the changelog again. If you still do not see the CVE number, or no updates are available what do you do? Well, first of all don’t panic. If your Linux distribution, hasn’t released an update, or backported security patches, they’ll have a good reason. Take the above two mentioned vulnerabilities, CVE-2010-0742 and CVE-2010-1633, for example. If your server is running RHEL 3 or above, you’ll probably wont find them mentioned in the changelog. No matter which version of OpenSSL you have installed. Search for details about the CVE number in your Linux distribution’s site. A search for these CVE numbers on redhat.com will give you these two links ,. If you look under the “Statement” section, you will see the following message:
“Not vulnerable. These issues did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 3, 4, or 5.”
So in this case, you don’t have to worry. You can report the same to PCI and they will mark this as a false positive. So search for reports about the CVE number specifically for your Linux distribution. An upgrade may not be required.
About the Author:
Hamish joined Bobcares in July of 2004, and since then has grown to be well versed in the Control Panels and Operating systems used in the Web Hosting industry today. He is highly passionate about Linux and is a great evangelist of open-source. When not at work, he keeps himself busy populating this blog with both technical and non-technical posts. When he is not on his Xbox, he is an avid movie lover and critic