How to fix high severity OpenSSL bugs (Memory corruption, Padding oracle) in Ubuntu, CentOS, RedHat, OpenSuse and other Linux servers
Early today (3rd May 2016), OpenSSL released patches for two high severity bugs, and 4 low severity ones. The first bug, CVE-2016-2108 is a Memory corruption vulnerability, which could allow an attacker to crash a service or even execute malicious code.
The second bug, CVE-2016-2107 is a Padding oracle vulnerability, which could be used for Man-In-The-Middle (MITM) attacks to steal encrypted login passwords.
As of this post, Ubuntu and Suse have released patches to fix these vulnerabilities.
Here’s how you can secure your Linux server:
Ubuntu has released patches for versions 12 through 16, with the following package versions:
Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.36
Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.19
Ubuntu 15.10: libssl1.0.0 1.0.2d-0ubuntu1.5
Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.1
If your Ubuntu OS version is listed above, you can use the below command to update to the latest version of libssl.
# apt-get install --only-upgrade libssl1.0.0
You can confirm if the patches are applied by using the command:
# zgrep -ie "(CVE-2016-2108|CVE-2016-2107)" /usr/share/doc/libssl1.0.0/changelog.Debian.gz
If you have an older Ubuntu server, or if you are unable to upgrade for some reason, you’ll need to custom patch the server from OpenSSL source. You’ll need OpenSSL versions 1.0.2h or 1.0.1t, depending on which current version of OpenSSL you use.
Suse has released the following package versions to fix the vulnerability:
SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64):
SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64):
SUSE Linux Enterprise Server 11-SECURITY (ia64):
You can use this command to update your Suse server:
# zypper in -t patch secsp3-openssl1-12539=1
If your OS version is not listed above, you may have to custom patch the server from OpenSSL source. You’ll need OpenSSL versions 1.0.2h or 1.0.1t, depending on which current version of OpenSSL you use.
If you are not comfortable upgrading or patching your system, we can help you. Just click here to get in touch with a Linux expert.