This Heartbleed vulnerability allows an attacker to read 64 kilobyte chunks of memory from the servers and clients that connect using SSL through a flaw in the OpenSSL’s implementation of the heartbeat extension.
cPanel & WHM does not provide any copies of the OpenSSL library. The daemons and applications shipped with cPanel & WHM link to the version of OpenSSL provided by the core operating system.
RedHat 6, CentOS 6, and CloudLinux 6 provided vulnerable versions of OpenSSL 1.0.1. All three distros have published patched versions of their OpenSSL 1.0.1 RPMs to their mirrors.
How to fix this Heartbleed vulnerability?
To update any affected servers, use the following commands.
1. SSH to your server
2. yum update openssl
3. /scripts/upcp —force
4. /etc/init.d/cpanel restart
5. stop apache with the command:
service httpd stop
6. kill any remaining apache processes
7. start apache with command:
service httpd start
8. Please test your server at http://filippo.io/Heartbleed/ to confirm the server is patched.
9. If your server still shows vulnerable still after step #8 we have found it is necessary to recompile apache. Recompile apache and run step #8 again.
Also you can ensure you are updated by running the following command:
# rpm -q –changelog openssl | grep -B 1 CVE-2014-0160
* Mon Apr 07 2014 Tomáš Mráz 1.0.1e-16.7
– fix CVE-2014-0160 – information disclosure in TLS heartbeat extension