Article ID: 121916, created on Jun 6, 2014, last review on Oct 16, 2014

  • Applies to:
  • Operations Automation 5.5
  • Operations Automation 5.4
  • Operations Automation 5.0
  • Plesk Automation 11.5
  • Plesk
  • Virtuozzo 6.0
  • Virtuozzo containers for Linux 4.7
  • Virtuozzo containers for Linux 4.6
  • Virtuozzo containers for Windows 4.6
  • Virtuozzo hypervisor
  • Virtual Automation


The OpenSSL group has issued a vulnerability alert on June 5, 2014. You can find more information about CVE-2014-0224 at the Open SSL website.

Fix was provided for versions 0.9.8, 1.0.0 and 1.0.1:

  • OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
  • OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

For Windows

This affects Parallels Containers for Windows with installed Parallels Dispatcher for management by PACI, and few components are compiled with vulnerable OpenSSL version. Updated OpenSSL will be included in the next hotfix.

For Linux

This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using one of the following distributions:

  • Debian Wheezy (stable) (vulnerable OpenSSL 1.0.1e-2+deb7u7 and older, fixed in OpenSSL 1.0.1e-2+deb7u10)
  • Ubuntu 14.04 LTS (vulnerable OpenSSL 1.0.1f-1ubuntu2.1 and older, fixed in OpenSSL 1.0.1f-1ubuntu2.2)
  • Ubuntu 13.10 (vulnerable OpenSSL 1.0.1e-3ubuntu1.3 and older, fixed in OpenSSL 1.0.1e-3ubuntu1.4)
  • Ubuntu 12.04 LTS (vulnerable OpenSSL 1.0.1-4ubuntu5.13 and older, fixed in OpenSSL 1.0.1-4ubuntu5.14)

    The package version for Debian/Ubuntu can be checked using the command:

    ~# dpkg -l openssl
  • RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.7 and older, fixed in OpenSSL 1.0.1e-16.el6_5.14)
  • Fedora 19 (fixed in OpenSSL 1.0.1e-38.fc19)
  • Fedora 20 (fixed in OpenSSL 1.0.1e-38.fc20)

    The package version for Redhat/CentOS and Fedora can be checked using the command:

    ~# rpm -q openssl


Hardware node update

Operating system vendors have issued fixes, which have been incorporated by all major distributions. You must apply OpenSLL updates by installing new openssl package version:

~# yum clean all; yum update openssl

Note: PSBM, PCS and PVC for Windows use SSL for internal communication with Dispatcher only, this significantly decreases risk of compromise but anyway it is highly recommended to apply fixes for SSL as it might be used by some other 3rd party services.

PVA Power Panel and PVA MN

Parallels Virtual Automation uses not vulnerable version of OpenSSL, and also it uses system OpenSSL for web-based services via Apache.

PVA Power Panel uses Apache web-server running on the host, update OpenSSL and restart of Apache on the hardware node is needed:

~# service httpd restart

PVA Management Node uses Apache and OpenSSL of the system it is installed into, update the installation according to its type and restart services:

  • in a container:

    ~# vzctl update CTID
  • in a virtual machine or on a physical server:

    ~# yum clean all; yum update

Applying fix to containers

  1. For existing containers:

    ~# vzpkg update CTID

    or a single package specifically:

    ~# vzpkg install CTID -p openssl
  2. Operating system template cache(s) should be recreated:

    ~# vzpkg update cache DISTR-VER-ARCH

After the update is applied all the services relying on OpenSSL should be restarted:

  • Restart SSH server, OpenVPN, Apache.
  • Restart any other services running on the host operating system dependent on OpenSSL.

Search Words

ChangeCipherSpec mitm


CCS Injection Vulnerability (CVE-2014-0224)


c62e8726973f80975db0531f1ed5c6a2 2897d76d56d2010f4e3a28f864d69223 0dd5b9380c7d4884d77587f3eb0fa8ef e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 0c05f0c76fec3dd785e9feafce1099a9 6c20476fe6c3408461ce38cbcab6d03b 965b49118115a610e93635d21c5694a8 36627b12981f68a16405a79233409a5e a26b38f94253cdfbf1028d72cf3a498b 319940068c5fa20655215d590b7be29b 5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 c27596ac4fff6cb4c8ec8891dae57001 2554725ed606193dd9bbce21365bed4e ac82ce33439a9c1feec4ff4f2f638899 a914db3fdc7a53ddcfd1b2db8f5a1b9c 56797cefb1efc9130f7c48a7d1db0f0c 5b048d9bddf8048a00aba7e0bdadef37 614fd0b754f34d5efe9627f2057b8642 33a70544d00d562bbc5b17762c4ed2b3 e0aff7830fa22f92062ee4db78133079

Email subscription for changes to this article
Save as PDF