Bobcares

How to fix high severity OpenSSL bugs (Memory corruption, Padding oracle) in Ubuntu, CentOS, RedHat, OpenSuse and other Linux servers

by | May 4, 2016

Early today (3rd May 2016), OpenSSL released patches for two high severity bugs, and 4 low severity ones. The first bug, CVE-2016-2108 is a Memory corruption vulnerability, which could allow an attacker to crash a service or even execute malicious code.

The second bug, CVE-2016-2107 is a Padding oracle vulnerability, which could be used for Man-In-The-Middle (MITM) attacks to steal encrypted login passwords.

As of this post, Ubuntu and Suse have released patches to fix these vulnerabilities.

See how we secure your servers!

Here’s how you can secure your Linux server:

Ubuntu server

Ubuntu has released patches for versions 12 through 16, with the following package versions:

Ubuntu 12.04 LTS:  libssl1.0.0 1.0.1-4ubuntu5.36
Ubuntu 14.04 LTS:  libssl1.0.0 1.0.1f-1ubuntu2.19
Ubuntu 15.10:  libssl1.0.0 1.0.2d-0ubuntu1.5
Ubuntu 16.04 LTS:  libssl1.0.0 1.0.2g-1ubuntu4.1

If your Ubuntu OS version is listed above, you can use the below command to update to the latest version of libssl.

#  apt-get install --only-upgrade libssl1.0.0

You can confirm if the patches are applied by using the command:

# zgrep -ie "(CVE-2016-2108|CVE-2016-2107)" /usr/share/doc/libssl1.0.0/changelog.Debian.gz

If you have an older Ubuntu server, or if you are unable to upgrade for some reason, you’ll need to custom patch the server from OpenSSL source. You’ll need OpenSSL versions 1.0.2h or 1.0.1t, depending on which current version of OpenSSL you use.

Suse/OpenSuse server

Suse has released the following package versions to fix the vulnerability:

SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64):
  libopenssl1-devel-1.0.1g-0.47.1
  libopenssl1_0_0-1.0.1g-0.47.1
  openssl1-1.0.1g-0.47.1
  openssl1-doc-1.0.1g-0.47.1
SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64):
  libopenssl1_0_0-32bit-1.0.1g-0.47.1
SUSE Linux Enterprise Server 11-SECURITY (ia64):
  libopenssl1_0_0-x86-1.0.1g-0.47.1

You can use this command to update your Suse server:

# zypper in -t patch secsp3-openssl1-12539=1

If your OS version is not listed above, you may have to custom patch the server from OpenSSL source. You’ll need OpenSSL versions 1.0.2h or 1.0.1t, depending on which current version of OpenSSL you use.

If you are not comfortable upgrading or patching your system, we can help you. Just click here to get in touch with a Linux expert.

RedHat/CenOS server

As of this post, RedHat has not released a patch for the bugs. Since CentOS servers depend on RedHat packages, there is at present no CentOS patches as well.

We are closely monitoring the progress of patch release from RedHat, and will update this section when a patch is available.

Please note that RedHat WILL NOT release a patch for discontinued server versions such as RHEL 4. For more details check RedHat security portal here.

UPDATE 06:04 MST 5th May : Redhat bugzilla reports that the patched OpenSSL rpm, openssl-1.0.2h-1.fc23 has been released to Fedora 23 repositories. Anyone running Fedora should be able to now update OpenSSL using:

# dnf update openssl

However, when we checked, not all Fedora mirrors had the openssl-1.0.2h-1.fc23 rpm. So, running the above command may not get you the latest package.

Fedora RPMs are compatible with RedHat and CentOS systems, but since these RPMs are not yet listed in EPEL (Extra Packages for Enterprise Linux) repositories, or available in official RHEL/CentOS repos, you’ll need to test this RPM before it is used in production systems.

Click here to have one of our experts check if the Fedora RPM can be used in your system.

Update 05:20 MST 9th May : About 3 hours back, CentOS announced the availability of patched OpenSSL packages in its repositories. The version number is openssl-1.0.1e-51.el7_2.5. You can update your RedHat and CentOS servers by running:

# yum update openssl

You can verify if the OpenSSL vulnerabilities are patched by using the below command:

# rpm -q --changelog | egrep -i "(CVE-2016-2107|CVE-2016-2108)"

You should see the output:

- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC

If you do not see new OpenSSL packages listed, your update setting may not be correct, or your OS version may no longer be supported. Click here to have a Bobcares Linux expert audit and patch your server.

If your OS version is not listed to be fixed, you may have to custom patch the server from OpenSSL source. You’ll need OpenSSL versions 1.0.2h or 1.0.1t, depending on which current version of OpenSSL you use.

If you are not comfortable upgrading or patching your system, we can help you. Just click here to get in touch with a Linux expert.

 

GET YOUR SERVERS SECURED

Never lose your time worrying over vulnerable servers! Let us help you.

Sign Up and Enjoy Peace Of Mind For Ever!

GET IN TOUCH WITH THE EXPERTS NOW

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

8 Comments

  1. Opfour

    Fedora Update System 2016-05-04 14:51:43 EDT
    openssl-1.0.2h-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

    Reply
    • Visakh

      Thank you Opfour. I’ve updated the post now. Waiting for the RPM to be listed in CentOS repos.

      Reply
      • Maciej

        On Redhat and CentOS I see new (1:1.0.1e-51.el7_2.5) version of openssl.

        Reply
        • Visakh

          Thank you Maciej. I’ve now updated the post.

          Reply
  2. Jan

    I’ve updated openssl to version 1:1.0.1e-51.el7_2.5 and restarted my vps, however OpenSSL labs says im still vulnerable. Running CentOS with Apache.

    Reply
  3. Jessie K. Richardson

    A vulnerability scan advises me CVE-2016-2107 (OpenSSL advisory) that I may have a MITM incident. The OS is w2008R2 x64 Enterprise. How do I find out which OpenSSL version I’m running, and how do go about remediating the issue, suggestion given doesn’t lead me to the solution:

    https://www.openssl.org/news/secadv/20160503.txt

    OpenSSL 1.0.2 users should upgrade to 1.0.2h
    OpenSSL 1.0.1 users should upgrade to 1.0.1t

    Reply
    • Reeshma Mathews

      Hi Jessie,

      Windows servers do not have default OpenSSL installation, but may have it installed alongside any open source software you have in your server. Please contact our Windows server experts at https://bobcares.com/server-administration-service/ for assistance. They would do a scan in your server for all vulnerable software versions and secure it from all vulnerabilities.

      Reply
  4. gk03

    Hi , I have below linux server configuration

    openSUSE 11.4 (i586)
    VERSION = 11.4
    CODENAME = Celadon

    and

    OpenSSL 1.0.0c 2 Dec 2010
    built on: 2011-05-31 07:28:35.972000002 +0000
    platform: linux-elf

    to support TLSv1.2 above
    Can you guide me if i upgrade only openssl version will support TLSv1.2 or TLSv1.3?

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.