USN-3087-2 OpenSSL Regression


Severity

High

Vendor

Canonical Ubuntu, OpenSSL

Versions Affected
  • Canonical Ubuntu 14.04 LTS, OpenSSLv1
Description

USN-3087-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2016-2182 was incomplete and caused a regression when parsing certificates. This update fixes the problem.

Original advisory details:
Shi Lei discovered that OpenSSL incorrectly handled the OCSP Status Request extension. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. (CVE-2016-6304)

César Pereida, Billy Brumley, and Yuval Yarom discovered that OpenSSL did not properly use constant-time operations when performing DSA signing. A remote attacker could possibly use this issue to perform a cache-timing attack and recover private DSA keys. (CVE-2016-2178)

Quan Luo discovered that OpenSSL did not properly restrict the lifetime of queue entries in the DTLS implementation. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. (CVE-2016-2179)

Shi Lei discovered that OpenSSL incorrectly handled memory in the TS_OBJ_print_bio() function. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-2180)

It was discovered that the OpenSSL incorrectly handled the DTLS anti-replay feature. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-2181)

Shi Lei discovered that OpenSSL incorrectly validated division results. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-2182)

Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update moves DES from the HIGH cipher list to MEDIUM. (CVE-2016-2183)

Shi Lei discovered that OpenSSL incorrectly handled certain ticket lengths. A remote attacker could use this issue to cause a denial of service. (CVE-2016-6302)

Shi Lei discovered that OpenSSL incorrectly handled memory in the MDC2_Update() function. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-6303)

Shi Lei discovered that OpenSSL incorrectly performed certain message length checks. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-6306)

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.23 AND 3232.x versions prior to 3232.21 AND other versions prior to 3262.16 are vulnerable
  • All versions of Cloud Foundry cflinuxfs2 prior to v.1.84.0
  • PCF Ops Manager versions prior to 1.6.22 and 1.7.x versions prior to 1.7.14 and 1.8.x versions prior to 1.8.3
  • PCF Elastic Runtime versions prior to 1.6.41 and 1.7.x versions prior to 1.7.23 and 1.8.x versions prior to 1.8.3
  • MySQL for PCF versions prior to 1.6.16 and 1.7.x versions prior to 1.7.14
  • RabbitMQ for PCF versions prior to 1.5.15 and 1.6.x versions prior to 1.6.7
  • Redis for PCF versions prior to 1.4.30 and 1.5.x versions prior to 1.5.20
  • PCF Metrics versions prior to 1.0.14 and 1.1.x versions prior to 1.1.0
  • PCF JMX Bridge (Ops Metrics) versions prior to 1.4.24 and 1.6.x versions prior to 1.6.18 and 1.7.x versions prior to 1.7.0
  • PCF Log Search versions prior to 1.0.0
  • Spring Cloud Services for PCF versions prior to 1.0.13 and 1.1.x versions prior to 1.1.4
  • Single Sign-On for PCF versions prior to 1.0.17
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team has released patched BOSH stemcells 3146.23, 3232.21, and 3262.16 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.23 OR 3232.x versions to 3232.21 OR 3262.x versions to 3262.16.
  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.84.0 or later versions
  • Upgrade PCF Ops Manager to 1.6.22 or 1.7.x versions to 1.7.14 or 1.8.x versions to 1.8.3
  • Upgrade PCF Elastic Runtime to 1.6.41 or 1.7.x versions to 1.7.23 or 1.8.x versions to 1.8.3
  • Upgrade MySQL for PCF to 1.6.16 or 1.7.x versions to 1.7.14
  • Upgrade RabbitMQ for PCF to version 1.5.15 or 1.6.x versions to 1.6.7
  • Upgrade Redis for PCF to version 1.4.30 or 1.5.x versions to 1.5.20
  • Upgrade PCF Metrics to 1.0.14 or 1.1.x versions to 1.1.0
  • PCF JMX Bridge (Ops Metrics) to 1.4.24 or 1.6.x versions to 1.6.18 or 1.7.x versions to 1.7.0
  • Upgrade PCF Log Search to version 1.0.0
  • Upgrade Spring Cloud Services for PCF to 1.0.13 or 1.1.x versions to 1.1.4
  • Upgrade Single Sign-On for PCF to 1.0.17
Credit

Karthik Bhargavan, Billy Brumley, Shi Lei, Gaetan Leurent, Quan Luo, César Pereida, and Yuval Yarom

References