With all this talk about the HeartBleed Security vulnerability this week I thought I would answer a quick question about OS X and HeartBleed. That being, does HeartBleed affect OS X Server?
The Short Answer
Probably not. OS X uses openssl branch 0.9.8 and that was not affected by this vulnerability.
The Long Answer
The HeartBleed vulnerability a really nasty security vulnerability in the openssl library. Openssl is a library and application suite that nearly all Unix/Linux systems use, including OS X. However, the vulnerability is in the 1.0.1 branch of openssl and the built-in version of openssl on OS X systems is 0.9.8. To see if your system is using a vulnerable version of openssl open your terminal and type the following command.
# To check the version of openssl
If you get back something like “OpenSSL 0.9.8y 5 Feb 2013” you are fine. In this case, I’m using the 0.9.8y version of openssl. If the version you are running is between 1.0.1 and 1.0.1f then you are vulnerable. On an OS X machine this would only be the case if you compiled and installed the 1.0.1 version yourself.
As a Side Note, What is HeartBleed?
Heartbleed is an error in the code for openssl that allows an attacker to steal information off the server using the problem code. An attacker is able to remotely copy the content of the servers memory simply because it is running HTTPS. It is my understanding that the attacker doesn’t need any additional privileges to do this. They can just steal data off the server if it happens to be in the servers RAM when the attacker launches their attack.
Nasty stuff! So I recommend you: fix any of your systems that may have the flaw, wait until the services you use have fixed their systems, then change ALL you passwords. What a pain! But, better safe then sorry.