Security vulnerabilities in OpenSSL - [19 March 2015]

Description:

As announced, OpenSSL has released a patch to fix multiple vulnerabilities in the library.
Multiple impacts have been disclosed such as DoS (Denial of Service attacks) and MitM (Man-in-the-Middle attacks).

For more information, please read the following article: https://isc.sans.edu/forums/diary/OpenSSL+Patch+Released/19485/

Who is vulnerable:

It's important to mention that the information below about the version numbers may change at any time. Please refer the official operating system vendor documentation for the latest updated information.

 

For Ubuntu:

Major version 1.0.2:

http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0291.html

All other versions:

http://www.ubuntu.com/usn/usn-2537-1/

For Debian:

Major version 1.0.2:

https://security-tracker.debian.org/tracker/CVE-2015-0291

All other versions:

https://security-tracker.debian.org/tracker/source-package/openssl

For Redhat:

https://rhn.redhat.com/errata/RHSA-2015-0715.html

For CentOS:

https://www.centosblog.com/important-openssl-update-multiple-cves-resolved/

 

For manually built version of OpenSSL:

For the major version 1.0.2, the updated and safe version is 1.0.2a

For the major version 1.0.1, the updated and safe version is 1.0.1m

For the major version 1.0.0 (End of Live Dec 2015), the updated and safe version is 1.0.0r

For the major version 0.9.8 (End of Live Dec 2015), the updated and safe version is 0.9.8zf

 

To find the OpenSSL version on a CentOS/Redhat Linux:

$ openssl version

or

$ sudo yum list installed openssl


To find the OpenSSL version on a Debian/Ubuntu Linux:

$ openssl version

or

$ sudo dpkg -l | egrep  '^ii.*openssl'

Resolution:

 1. Update the OpenSSL library on your server:

$ yum update openssl

or

$ apt-get update
$ apt-get install openssl


2. Find all the services using OpenSSL libraries and restart them:

$ lsof | grep libssl | awk '{print $1}' | sort | uniq

 

References:

https://openssl.org/news/secadv_20150319.txt
https://www.openssl.org/news/vulnerabilities.html
https://isc.sans.edu/forums/diary/OpenSSL+Patch+Released/19485/
https://github.com/openssl/openssl/blob/OpenSSL_0_9_8-stable/CHANGES
https://github.com/openssl/openssl/blob/OpenSSL_1_0_0-stable/CHANGES
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/CHANGES
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/CHANGES

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk