OpenSSL vulnerability (CVE-2014-0224)

Comments, suggestions, compliments, etc
rskotecha
Posts: 3
Joined: 2014/06/19 11:00:33

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by rskotecha » 2014/06/24 06:30:06

Hi,
I'm currently using openssl-1.0.0-4 for CentOS 6. I would like to upgrade it to openssl 1.0.0m. However, I couldn't find 1.0.0 related rpms on centos mirror. Where can I find it ?

Thanks.

drk
Posts: 403
Joined: 2014/01/30 20:38:28

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by drk » 2014/06/24 06:42:51

rskotecha wrote:Hi,
I'm currently using openssl-1.0.0-4 for CentOS 6. I would like to upgrade it to openssl 1.0.0m. However, I couldn't find 1.0.0 related rpms on centos mirror. Where can I find it ?

Thanks.
That looks like it is from 2012/04/25. If you haven't updated the rest of your system then you have bigger problems than just openssl.

User avatar
TrevorH
Forum Moderator
Posts: 27127
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by TrevorH » 2014/06/24 07:34:42

Please look at post #2 of this thread for the latest versions that are applicable for CentOS. In common with the usual upstream patching policy, the fixes required have been backported to the the CentOS versions so it is not 1.0.0.m that you need. This will entail updaing to 6.5 and it's 1.0.1e packages. If you have a requirement to stick with a 1.0.0 release then you'll need to take out a RHEL subscription and pay the extra required to get EUS support to get patches for 6.4.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

StormTheGates
Posts: 9
Joined: 2014/06/25 00:16:09

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by StormTheGates » 2014/06/25 00:17:56

I have updated my CentOS with the yum update patches. However, when running my Nessus Vulnerability Scanner I still get:

According to its banner, the remote web server uses a version of OpenSSL 0.9.8 prior to 0.9.8za. The OpenSSL library is, therefore, reportedly affected by the following vulnerabilities :

- An error exists related to the implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) that could allow nonce disclosure via the 'FLUSH+RELOAD' cache side-channel attack. (CVE-2014-0076)

- A buffer overflow error exists related to invalid DTLS fragment handling that could lead to execution of arbitrary code. Note this issue only affects OpenSSL when used as a DTLS client or server. (CVE-2014-0195)

- An error exists related to DTLS handshake handling that could lead to denial of service attacks. Note this issue only affects OpenSSL when used as a DTLS client.
(CVE-2014-0221)

- An unspecified error exists that could allow an attacker to cause usage of weak keying material leading to simplified man-in-the-middle attacks.
(CVE-2014-0224)

- An unspecified error exists related to anonymous ECDH ciphersuites that could allow denial of service attacks. Note this issue only affects OpenSSL TLS clients. (CVE-2014-3470)

Solution

Upgrade to OpenSSL 0.9.8za or later.

Banner : Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.28
Installed version : 0.9.8e-fips-rhel5
Fixed version : 0.9.8za

User avatar
TrevorH
Forum Moderator
Posts: 27127
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by TrevorH » 2014/06/25 02:08:21

The important part of that is "According to its banner" which means it's just doing a version check and not testing for the vulnerability itself. If you look those CVE numbers up on the redhat website in their CVE section, what does it say about them? Your nessus scan is almost certainly returning a false positive.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

lacquer
Posts: 4
Joined: 2014/06/26 02:03:59

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by lacquer » 2014/06/26 08:33:54

Hi,
I'm looking for a patch for the openssl0.9.7 of CentOS 4.7.
Or, is there any other solutions?

User avatar
TrevorH
Forum Moderator
Posts: 27127
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by TrevorH » 2014/06/26 08:41:23

CentOS 4 has been end of life for more than 2 years and you're running a version that's at least 2 years older than that. There are no more security patches for CentOS 4 and you should be migrating off it to something that is supported. If you cannot migrate then your only option is to buy a Redhat subscription to the Extended Update Service which supplies security patches for a little while longer but that means you have to convert your CentOS to RHEL 4 first...
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

lacquer
Posts: 4
Joined: 2014/06/26 02:03:59

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by lacquer » 2014/06/27 01:16:49

TrevorH, thank you for your answer!

spinmaster
Posts: 10
Joined: 2014/11/19 19:30:22

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by spinmaster » 2014/11/19 19:35:27

I've patched my CentOS5.11 with 0.9.8e-31.el5_11, yet keep getting positive hits for CVE-2014-0224 by tripwire, ssllabs, Redhat and other scanners.

***CVE-2014-0224 Detection Tool v0.3***
Brought to you by Tripwire VERT (@TripwireVERT)
[TLSv1.2] **********************:443 may allow early CCS
[TLSv1.1] **********************:443 may allow early CCS
[TLSv1] **********************:443 may allow early CCS
[SSLv3] **********************:443 Invalid handhsake.
***This System Exhibits Potentially Vulnerable Behavior***
If this system is using OpenSSL, it should be upgraded.
============================
what else should I do to fix this?
Much appreciated.
Last edited by spinmaster on 2014/11/19 21:45:40, edited 1 time in total.

User avatar
TrevorH
Forum Moderator
Posts: 27127
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by TrevorH » 2014/11/19 21:31:40

And you restarted all services that use openssl like httpd?

Perhaps you have a non-standard openssl installed. What do you get if you run locate libssl.so?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “User Comments”