Is my openssl version vulnerable?

Question

I just installed Centos 7, with the default settings and i'd like to be sure if my openssl version is affected by heartbleed. I guess it's not, because the version command says built on: Mon Dec 14 05:15:47 UTC 2015 and most of the vulnerable versions were built in 2013.

Anyways, here is the command's full output:

OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Dec 14 05:15:47 UTC 2015
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic

Answer 1

From https://www.openssl.org/news/vulnerabilities.html

CVE-2014-0160 (OpenSSL advisory) 7th April 2014: A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server (a.k.a. Heartbleed). This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta. Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)

Your version is 1.0.1e, therefore it is vulnerable. Upgrade to at least 1.0.1g.

Answer 2

No - you are not vulnerable to heartbleed. The security fix was back-ported to the 1.0.1e package managed by centos. See: https://wiki.centos.org/Security/Heartbleed