AnsweredAssumed Answered

Heartbleed false positive?

Question asked by Steve Obergfell on Oct 21, 2014
Latest reply on Jan 21, 2016 by Rob Moss

Scanned 2 nearly identicle Centos 6.5 servers.  One, which Irecently updqated the openssl on comes up as vulnerable to Heartbleed ( as well as   OpenSSL CCS vulnerability (CVE-2014-0224) ).  The version of openssl on this server is openssl-1.0.1e-30.e16_52.x86_64, which was compiled on Oct 16, 2014.

When i test on an identicle server ( except with an older versiopn of openssl ) it comes up as clean.  This other ser is using openssl-1.0.1e-16.e16_52.x86_64, which was compiled on June 5th 2014, and appears to be an older version of openssl.

 

 

 

So I am left thinking that either SSL Labs is giving me fasl positives because the openssl is so new, or they reintroduced these vulnerabilities in the latest update.

Outcomes