USN-2537-1: OpenSSL vulnerabilities


Severity

Low to High

Vendor

Canonical Ubuntu

Versions Affected
  • Canonical Ubuntu 14.10, 10.04 LTS and 14.04 LTS
Description

Several Low-to-High severity vulnerabilities impacting the versions of Ubuntu Linux included in the Cloud Foundry Stemcell and Runtime have been identified:

  • It was discovered that OpenSSL incorrectly handled malformed EC private key files. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or to execute arbitrary code. (CVE-2015-0209, Low severity)
  • OpenSSL incorrectly handled comparing ASN.1 boolean types. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-0286, Medium severity)
  • OpenSSL incorrectly handled ASN.1 structure reuse. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0287, Medium severity)
  • OpenSSL incorrectly handled invalid certificate keys. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-0288, Low severity)
  • OpenSSL incorrectly handled missing outer ContentInfo when parsing PKCS#7 structures. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0289, Medium severity)
  • OpenSSL incorrectly handled decoding Base64 encoded data. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0292, Medium severity)
  • OpenSSL incorrectly handled specially crafted SSLv2 CLIENT-MASTER-KEY messages. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-0293, Medium severity)
  • The FREAK vulnerability (CVE-2015-0204, upgraded from Medium to High severity).

Affected Pivotal Products and Versions

Severity is low unless otherwise noted.

  • BOSH: All versions of Cloud Foundry BOSH stemcells prior to v2889 include OpenSSL 1.0.1f and thus are vulnerable to the aforementioned CVEs.
  • Cloud Foundry Runtime cf-release versions prior to 205 contain the lucid and cflinuxfs2 RootFS, which include OpenSSL 0.9.8k and 1.0.1f and thus are vulnerable to the aforementioned CVEs.
  • Pivotal Cloud Foundry Elastic Runtime versions 1.1.0.0 to 1.3.4.0 use the lucid rootFS containing OpenSSL 1.0.1f and thus are vulnerable to the aforementioned CVEs. In addition, the HAProxy job in Elastic Runtime, while not recommended for production usage, allows EXPORT ciphers and thus is vulnerable to CVE-2015-0204.
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running cf-release v204 or earlier upgrade to v205 or later and BOSH stemcells 2889 or later, which contain the patched versions of OpenSSL that resolve the aforementioned CVEs.
  • Pivotal recommends customers upgrade to Pivotal CF Elastic Runtime 1.3.5.0 or greater, which contain patched versions of OpenSSL and a stronger default cipher suite, resolving the aforementioned CVEs. The release is available from Pivotal Network.
Credit

Stephen Henson - CVE-2015-0209

Emilia Käsper - CVE-2015-0286

Brian Carpenter - CVE-2015-0288

Michal Zalewski - CVE-2015-0289

Robert Dugal and David Ramos - CVE-2015-0292

Sean Burford and Emilia Käsper - CVE-2015-0293

References