NGINX and the Heartbleed vulnerability

Are NGINX or NGINX Plus vulnerable to the Heartbleed OpenSSL vulnerability?

The Heartbleed bug (heartbleed.org, OpenSSL advisory) is a serious vulnerability in the popular OpenSSL cryptographic software library, announced on 7 April 2014. It allows access to up to 64kb of internal memory in affected servers, and this may disclose sensitive information including SSL private keys.

The bug was introduced in OpenSSL 1.0.1, and is resolved in version 1.0.1g and later releases. Anyone running NGINX or NGINX Plus with an affected OpenSSL implementation should upgrade their OpenSSL library immediately and verify that NGINX is using the updated version.

NGINX Plus

NGINX Plus is the commercially-supported version of NGINX, adding load balancing, high-availability and management features.

Does your NGINX install use your OS vendor’s instance of OpenSSL?

NGINX builds provided by Nginx or through a third party repository are usually dynamically linked to the operating system’s instance of libssl.so:

$ ldd `which nginx` | grep ssl

libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f82e62bf000)

In this case, you can verify the precise version of openssl as follows (note that the library name does not contain the exact version number):

$ strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep "^OpenSSL "
OpenSSL 1.0.1f 6 Jan 2014

Output on your system may vary. You can also run ‘openssl version‘, although this may give incorrect results if there are several instances of OpenSSL on your server.

If you are running an affected version of libssl (or even if you are not) you should upgrade to the latest openssl build provided by your operating system vendor, and then restart the NGINX software so that it uses the updated library. Check your vendor’s response to CVE-2014-0160 to determine the correct upgrade process; for example:

Please note that some Linux operating systems vendors have released fixed packages that still bear the OpenSSL 1.0.1e name. Even though the OpenSSL project released 1.0.1g as their newest software, downstream Linux providers have in some cases elected to include just the fix for CVE-2014-0160 in their packages in order to provide a small update quickly.

Does your NGINX install use a statically-linked instance of OpenSSL?

If you have compiled nginx yourself, you may have statically linked the openssl libraries. The ldd test will reveal no dependencies on the operating system libssl.so library.  nginx -V will give you the compile-time options which should reveal the options you used:

$ ./objs/nginx -V

nginx version: nginx/1.5.11

built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)

configure arguments: --with-cc-opt=-I../openssl-1.0.1f/include 
  --with-ld-opt='-L../openssl-1.0.1f -Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic -ldl' 
  --with-openssl=../openssl-1.0.1f

If you are using a vulnerable version of openssl, you will need to recompile NGINX using a fixed version, or recompile openssl using the -DOPENSSL_NO_HEARTBEATS option and then recompile NGINX.

blog comments powered by Disqus