The Heartbleed Bug is a serious security vulnerability in OpenSSL that, under normal conditions, circumvents SSL encryption and allows someone to read the information passed through SSL undetected.
From the heardbleed.com website:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Also found directly on the openssl.org website:
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <firstname.lastname@example.org> and Bodo Moeller <email@example.com> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.
In summary, for those running OpenSSL versions 1.0.1a through 1.0.1f you are vulnerable. To see what you’re running type: rpm -q openssl
> rpm -q openssl
The above shows that the openssl version is vulnerable. The good news is that CentOS already has a fix. Simply run a yum update and restart the services that use OpenSSL and you’ll be okay.
> yum update
> rpm -q openssl
If you see version 1.0.1e-16.el6_5.7 or higher then you have the official fixed version. If you are worried that it’s still 1.0.1e and not 1.0.1g, don’t worry, CentOS works the same as RedHat which simply patches the existing version which is shown in the openssl-1.0.1e-16.e16_5.7.x86_64 example above.
Once you have verified that the OpenSSL version has been updated restart all services that use SSL.