OpenSSL Vulnerabilities fix – CVE-2016-2108

OPENSSL VULNERABILITIES – CVE-2016-2108 & CVE-2016-2107

On 3rd May 2016, OpenSSL released patches for two high severity bugs (CVE-2016-2108 & CVE-2016-2107), and 4 low severity ones. 

CVE-2016-2107 is an OpenSSL bug which allows a man-in-the-middle (MITM) attacker to use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.

CVE-2016-2108 is a bug on OpenSSL’s ASN.1 encoder which allows attackers to trigger an out-of-bounds write, causing memory corruption that is potentially exploitable with some malloc implementations.

These vulnerabilities affects most of the Linux operating systems such as Ubuntu, CentOS and Debian, since OpenSSL is included as a default package on the operating systems. If you are running vulnerable OS, we strongly recommend you to install the latest patches for your operating system to fix the vulnerability issue on your server. 

OpenSSL Vulnerable Operating Systems

A security issue affects these releases:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Redhat Enterprise Linux 5
  • Redhat Enterprise Linux 6
  • Redhat Enterprise Linux 7
  • CentOS 6
  • CentOS 7
  • Amazon Linux

 

How to Fix the Problem

You just need to install the latest patches for your operating system, and restart your server afterwards for the new patches to take effect.

On Ubuntu and Debian Systems:

# sudo apt-get update
# sudo apt-get install libssl1.0.0 (or) apt-get install –only-upgrade libssl1.0.0

You can verify if the OpenSSL vulnerabilities are patched by using the below command:

# sudo apt-get changelog libssl1.0.0 | egrep -i “(CVE-2016-2107|CVE-2016-2108)”

and then reboot the system.

On RedHat/CentOS Systems:

RedHat released the updates for CVE-2016-2105 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 and CVE-2016-2176 , In this CVE-2016-2108 is the critical one and you can fix this issue by Openssl update.

Red Hat Enterprise Linux 7 openssl-1.0.1e-51.el7_2.5 -> Released
Red Hat Enterprise Linux 7 openssl098e -> Will not fix
Red Hat Enterprise Linux 6 openssl-1.0.1e-48.el6_8.1 -> Released
Red Hat Enterprise Linux 6 openssl098e -> Will not fix
Red Hat Enterprise Linux 5 openssl-0.9.8e-40.el5_11 -> Released
Red Hat Enterprise Linux 5 openssl097a -> Will not fix

RedHat security team is still working on CVE-2016-2106 fix for RHEL7/6 openssl098e version.

CentOS announced the availability of patched OpenSSL packages in its repositories. The version number is openssl-1.0.1e-51.el7_2.5.

# yum info openssl
# yum update openssl
and then reboot the system.

Please note that RedHat WILL NOT release a patch for discontinued server versions such as RHEL 4. For more details check RedHat security portal here.

You can verify if the OpenSSL vulnerabilities are patched by using the below command:

# rpm -q –changelog | egrep -i “(CVE-2016-2107|CVE-2016-2108)”

On AWS Linux Systems:

# yum info openssl
# yum update openssl
and then reboot the system.

If you do not see new OpenSSL packages listed, your update setting may not be correct, or your OS version may no longer be supported. If your OS version is not listed to be fixed, you may have to custom patch the server from OpenSSL source. You’ll need OpenSSL versions 1.0.2h or 1.0.1t, depending on which current version of OpenSSL you use.

More information about CVE-2016-2108 & CVE-2016-2107

OpenSSL Security Advisory
USN-2959-1: OpenSSL vulnerabilities

 

 

Please follow and like us:
Urolime Technologies has made groundbreaking accomplishments in the field of Google Cloud & Kubernetes Consulting, DevOps Services, 24/7 Managed Services & Support, Dedicated IT Team, Managed AWS Consulting and Azure Cloud Consulting. We believe our customers are Smart to choose their IT Partner, and we “Do IT Smart”.
Posts created 164

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Enjoy this blog? Please spread the word :)