Heartbleed and Bitnami

How you are running the patch installer? Could you post more details or info in a separate thread?

It is weird, could you try to run in text mode?

./bitnami-opensslfixer-1.0.1g-0-linux-x64-installer.run --mode text

Ran through the opensslfixer and on the first run it flagged an issue restarting Apache.

FIXED: See reply below. I had run the wrong version of the fixer (32 instead of 64).
Should have checked my OS version first via uname -a

ORIGINAL ISSUE:
httpd: Syntax error on line 92 of /opt/bitnami/apache2/conf/httpd.conf: Cannot load /opt/bitnami/apache2/modules/mod_ssl.so into server: /opt/bitnami/apache2/modules/mod_ssl.so: undefined symbol: SSLv2_client_method

This was before I had completed the
sudo apt-get install -y libssl1.0.0 openssl

I’ve since completed the apt-get installs and rebooted, but seem to have got myself in a situation of the Apache Mods not being ready for the new OpenSSL which has fully dropped the SSLV2 support.

Same issue with the php module as well. Does this hint at a libssl version issue ?
Cannot load /opt/bitnami/apache2/modules/libphp5.so into server: /opt/bitnami/common/lib/libcurl.so.4: undefined symbol: SSLv2_client_method

Package versions
dpkg -l | grep SSL ii libcurl3 7.22.0-3ubuntu4.7 Multi-protocol file transfer library (OpenSSL) rc libcurl3:i386 7.22.0-3ubuntu4.7 Multi-protocol file transfer library (OpenSSL) rc libssl0.9.8 0.9.8o-7ubuntu3.1 SSL shared libraries rc libssl0.9.8:i386 0.9.8o-7ubuntu3.1 SSL shared libraries ii libssl1.0.0 1.0.1-4ubuntu5.12 SSL shared libraries ii libssl1.0.0:i386 1.0.1-4ubuntu5.12 SSL shared libraries ii openssl 1.0.1-4ubuntu5.12 Secure Socket Layer (SSL) binary and related cryptographic tools ii python-m2crypto 0.21.1-2ubuntu2 a crypto and SSL toolkit for Python ii python-openssl 0.12-1ubuntu2.1 Python wrapper around the OpenSSL library rc ssl-cert 1.0.28ubuntu0.1 simple debconf wrapper for OpenSSL

dpkg -l | grep apache ii apache2 2.2.22-1ubuntu1.5 Apache HTTP Server metapackage ii apache2-mpm-prefork 2.2.22-1ubuntu1.5 Apache HTTP Server - traditional non-threaded model ii apache2-utils 2.2.22-1ubuntu1.5 utility programs for webservers ii apache2.2-bin 2.2.22-1ubuntu1.5 Apache HTTP Server common binary files ii apache2.2-common 2.2.22-1ubuntu1.5 Apache HTTP Server common files ii libapache2-mod-php5 5.3.10-1ubuntu3.11 server-side, HTML-embedded scripting language (Apache 2 module)

Any suggestions ?

I continued with the ‘yum update’ root, and have some questions about that.

Is it still valuable to try with “–mode text” to give feedback?

I don’t get your question about “how am I running”, as I showed the shell commands where I run it.

Currently:

root@trac:/home/bitnami# **/usr/bin/openssl version -a**
OpenSSL 1.0.1 14 Mar 2012
built on: **Mon Apr  7 20:33:29 UTC 2014**
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
root@trac:**/home/bitnami# openssl version -a**
OpenSSL 1.0.1c 10 May 2012
built on: **Mon Oct 29 10:41:42 EDT 2012**
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/bitnami/tracstack-linux-x64/output/common/openssl"
root@trac:/home/bitnami# which openssl
/opt/bitnami/common/bin/openssl

Should I be worried about the “/opt/bitnami/common/bin/openssl” version?

Edited post:

Answer: YES

See post below.

I tried this, even though I’ve already updgraded, and got a dialog. So it looks like the additional parameter did the trick.

After completing this patch, both versions of openssl seem to be patched.

root@trac:/home/bitnami/heartbreak# /usr/bin/openssl version -a
    OpenSSL 1.0.1 14 Mar 2012
    built on: Mon Apr  7 20:33:29 UTC 2014
    platform: debian-amd64
    options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
    compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,–noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
    OPENSSLDIR: “/usr/lib/ssl”
    root@trac:/home/bitnami/heartbreak# which openssl
    /opt/bitnami/common/bin/openssl
    root@trac:/home/bitnami/heartbreak# /opt/bitnami/common/bin/openssl version -a
    OpenSSL 1.0.1g 7 Apr 2014
    built on: Tue Apr  8 09:07:07 CEST 2014
    platform: linux-x86_64
    options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
    compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -Wa,–noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
    OPENSSLDIR: “/bitnami/lampstack-linux-x64/output/common/openssl”

It’s not clear to me if I have 2 versions of openssl because I added additional servers to the original stack, or if all similar stacks would have this situation. In either case, it might be a good idea to update:

1. With bitnami supplied patch, AND

2. With the alternate method (“yum update” in my case) described in [2014-04 Heartbleed Bug][1]

[1]: https://wiki.bitnami.com/security/2014-04_Heartbleed_Bug

Did you install the 32 bit or 64 bit version of the patch installer? What is the server platform 32 bit or 64 bit?

I am running the bitnami moodle image 2.6. I’ve run the two apt-get commands which seem to execute ok.I restarted. However, it appears I am still vulnerable and my openssl has not been updated. I get the following output when I check openssl versions.

bitnami@ip-10-136-2-194:~$ openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Fri Nov 15 10:31:46 CET 2013
platform: linux-elf
options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -Wa,–noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/bitnami/lampstack-linux/output/common/openssl”
bitnami@ip-10-136-2-194:~$ /usr/bin/openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 7 20:31:55 UTC 2014
platform: debian-i386
options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,–noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/usr/lib/ssl”

bitnami@ip-10-136-2-194:~$ openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Fri Nov 15 10:31:46 CET 2013
platform: linux-elf
options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -Wa,–noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/bitnami/lampstack-linux/output/common/openssl”

Correct. Bitnami ships an OpenSSL library version in the stack that is the one that uses Apache for HTTPS. This is the most important one and it is fixed with the Patch installer.

You can also upgrade your system SSL library so any other server that you have installed in your system loads a new version of the library.

The patch installer does not work for me when run against a fresh install of your Ubuntu LAMP VM.

This morning I got a fresh download of the Ubuntu LAMP stack in virtual machine form and installed that under VirtualBox, and verified it was vulnerable using this tool described here:

Git clone: https://gist.github.com/10100394.git
Syntax: python ssltest.py server.com -p 443
I then fetched a copy of your patch script (http://downloads.bitnami.com/files/download/opensslfixer/bitnami-opensslfixer-1.0.1g-0-linux-installer.run), verified the MD5, and ran it. It appears that it didn’t do anything useful, since the LAMP stack still tests as vulnerable.

here is what I am running:
bitnami@linux:~$ uname -a
Linux linux 3.2.0-53-virtual #81-Ubuntu SMP Thu Aug 22 21:21:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

and yes, I have tried running the patch script several different ways:
sudo bitnami-opensslfixer-1.0.1g-0-linux-installer.run
sudo ./bitnami-opensslfixer-1.0.1g-0-linux-installer.run --mode text

Scratch that. I ran the fixer script and now all seems well. Thanks!

1 Like

Had to rollback to the backup files created by the sslfix script because got following error when apache tries to start. Anyone know why or have a solution?

Error message:

httpd: Syntax error on line 64 of /opt/bitnami/apache2/conf/httpd.conf: Cannot load /opt/bitnami/apache2/modules/mod_authnz_ldap.so into server: /opt/bitnami/common/lib/libldap-2.4.so.2: symbol SSL_CTX_set_tmp_dh_callback, versiion OPENSSL_1.0.1 not defined in file libssl.so.1.0.0 with link time reference apache config test fails, aborting

I finally got the script to run. problem was that I had grabbed the 32-bit linux version and I needed the 64 bit version

2 Likes

Did you install the correct version for your OS? Note there are available two versions: 32 bit and 64 bit.

You can restore the previous libraries from /opt/bitnami/opensslfix/backup/ folder to /opt/bitnami/common/lib

It seem you donwloaded the 32 bit version. You should download and install the 64 bit version for the patch.

Hi,
I m using Mac OS 10.9.3(Maverick) and needs to update the OpenSSL version bundled wit Bitnami stack. So I was following the instruction from the link below and stuck after download the patch installer. When I install the bitnami-opensslfixer, somehow I couldn’t install this patch. It is said that select a Bitnami installation to patch, but I m not certain which folder to choose.
https://wiki.bitnami.com/security/2014-04_Heartbleed_Bug

Please be advise the instruction from here.

Thank you

You should specify the installation of your previous stack. For example, if you installed Wordpress you should select your installation directory:

/Applications/wordpress-3.8.1-0

I hope it helps.

Spot on. I had tried to run the 32 bit version… thought it had failed. I should have checked first via uname -a and run the 64bit version.

Many thanks Beltran

2 Likes

Yes, I reverted back using the backup files. Then I tried to run the 32bit opensslfix, again it errored when trying to restart services. Here is paste of the error message. I will revert back again until I have more time to troubleshoot.

Error: There has been an error.
Error running /opt/bitnami/ctlscript.sh restart apache : httpd: Syntax error on
line 64 of /opt/bitnami/apache2/conf/httpd.conf: Cannot load
/opt/bitnami/apache2/modules/mod_authnz_ldap.so into server:
/opt/bitnami/common/lib/libldap-2.4.so.2: symbol SSL_CTX_set_tmp_dh_callback,
version OPENSSL_1.0.1 not defined in file libssl.so.1.0.0 with link time
reference
httpd: Syntax error on line 64 of /opt/bitnami/apache2/conf/httpd.conf: Cannot
load /opt/bitnami/apache2/modules/mod_authnz_ldap.so into server:
/opt/bitnami/common/lib/libldap-2.4.so.2: symbol SSL_CTX_set_tmp_dh_callback,
version OPENSSL_1.0.1 not defined in file libssl.so.1.0.0 with link time
reference

I am having similar problems trying to patch an older 64-bit bitnami image. I made a lot of changes to the image, so I don’t want to start over with a new image, but now can’t restart apache. I can’t even stop it using ctlscript
luckily, I did this on a copy of the running image, but now stuck. help please.

here’s what I’m getting:
httpd: Syntax error on line 92 of /opt/bitnami/apache2/conf/httpd.conf: Cannot load /opt/bitnami/apache2/modules/mod_ssl.so into server: /opt/bitn ami/apache2/modules/mod_ssl.so: symbol X509_INFO_free, version OPENSSL_1.0.1 not defined in file libcrypto.so.1.0.0 with link time reference
apache config test fails, aborting

@carlhub @luserjeff What exact image were you using? We will try to reproduce