Tried and tested solutions for your servers, from our outsourced support diaries.

How to fix high severity OpenSSL bugs (Memory corruption, Padding oracle) in Ubuntu, CentOS, RedHat, OpenSuse and other Linux servers

How to fix high severity OpenSSL bugs (Memory corruption, Padding oracle) in Ubuntu, CentOS, RedHat, OpenSuse and other Linux servers

Early today (3rd May 2016), OpenSSL released patches for two high severity bugs, and 4 low severity ones. The first bug, CVE-2016-2108 is a Memory corruption vulnerability, which could allow an attacker to crash a service or even execute malicious code.

The second bug, CVE-2016-2107 is a Padding oracle vulnerability, which could be used for Man-In-The-Middle (MITM) attacks to steal encrypted login passwords.

As of this post, Ubuntu and Suse have released patches to fix these vulnerabilities.

See how we secure your servers!

Here’s how you can secure your Linux server:

Ubuntu server

Ubuntu has released patches for versions 12 through 16, with the following package versions:

Ubuntu 12.04 LTS:  libssl1.0.0 1.0.1-4ubuntu5.36
Ubuntu 14.04 LTS:  libssl1.0.0 1.0.1f-1ubuntu2.19
Ubuntu 15.10:  libssl1.0.0 1.0.2d-0ubuntu1.5
Ubuntu 16.04 LTS:  libssl1.0.0 1.0.2g-1ubuntu4.1

If your Ubuntu OS version is listed above, you can use the below command to update to the latest version of libssl.

#  apt-get install --only-upgrade libssl1.0.0

You can confirm if the patches are applied by using the command:

# zgrep -ie "(CVE-2016-2108|CVE-2016-2107)" /usr/share/doc/libssl1.0.0/changelog.Debian.gz

If you have an older Ubuntu server, or if you are unable to upgrade for some reason, you’ll need to custom patch the server from OpenSSL source. You’ll need OpenSSL versions 1.0.2h or 1.0.1t, depending on which current version of OpenSSL you use.

Suse/OpenSuse server

Suse has released the following package versions to fix the vulnerability:

SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64):
  libopenssl1-devel-1.0.1g-0.47.1
  libopenssl1_0_0-1.0.1g-0.47.1
  openssl1-1.0.1g-0.47.1
  openssl1-doc-1.0.1g-0.47.1
SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64):
  libopenssl1_0_0-32bit-1.0.1g-0.47.1
SUSE Linux Enterprise Server 11-SECURITY (ia64):
  libopenssl1_0_0-x86-1.0.1g-0.47.1

You can use this command to update your Suse server:

# zypper in -t patch secsp3-openssl1-12539=1

If your OS version is not listed above, you may have to custom patch the server from OpenSSL source. You’ll need OpenSSL versions 1.0.2h or 1.0.1t, depending on which current version of OpenSSL you use.

If you are not comfortable upgrading or patching your system, we can help you. Just click here to get in touch with a Linux expert.


GET YOUR SERVERS SECURED

Never lose your time worrying over vulnerable servers! Let us help you.

Sign Up and Enjoy Peace Of Mind For Ever!

GET IN TOUCH WITH THE EXPERTS NOW

7 Comments

  1. Fedora Update System 2016-05-04 14:51:43 EDT
    openssl-1.0.2h-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

    Reply
    • Thank you Opfour. I’ve updated the post now. Waiting for the RPM to be listed in CentOS repos.

      Reply
      • On Redhat and CentOS I see new (1:1.0.1e-51.el7_2.5) version of openssl.

        Reply
        • Thank you Maciej. I’ve now updated the post.

          Reply
  2. I’ve updated openssl to version 1:1.0.1e-51.el7_2.5 and restarted my vps, however OpenSSL labs says im still vulnerable. Running CentOS with Apache.

    Reply
  3. A vulnerability scan advises me CVE-2016-2107 (OpenSSL advisory) that I may have a MITM incident. The OS is w2008R2 x64 Enterprise. How do I find out which OpenSSL version I’m running, and how do go about remediating the issue, suggestion given doesn’t lead me to the solution:

    https://www.openssl.org/news/secadv/20160503.txt

    OpenSSL 1.0.2 users should upgrade to 1.0.2h
    OpenSSL 1.0.1 users should upgrade to 1.0.1t

    Reply
    • Hi Jessie,

      Windows servers do not have default OpenSSL installation, but may have it installed alongside any open source software you have in your server. Please contact our Windows server experts at https://bobcares.com/server-administration-service/ for assistance. They would do a scan in your server for all vulnerable software versions and secure it from all vulnerabilities.

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

About Bobcares

Bobcares Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services.
Our engineers manage close to 52,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
MORE ABOUT BOBCARES
Bobcares
WE RESCUE AND MANAGE YOUR SERVER 911 SUPPORT . MONITORING . MAINTENANCE Our experts are online 24/7 to help you recover from a server issue, or to assist you with complex server admin jobs.
GET STARTED