How is RHEL affected by CVE-2014-0221 ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux version 5 (openssl)

  • Red Hat Enterprise Linux version 6 (openssl)

  • Red Hat Enterprise Linux version 7 (openssl)

  • Red Hat Storage Server 2.1 (openssl)

  • Red Hat JBoss Enterprise Application Platform 6.3

  • Red Hat JBoss Web Server 2.1

Issue

  • What is the resolution for CVE-2014-0221 openssl: DoS when sending invalid DTLS handshake?

  • Does CVE-2014-0221 affect EWS ? We are using the latest Red Hat JBoss Web Apache HTTP Server (2.2.22) and still has CVE-2014-0221 vulnerability after patching it with the security advisories in download section.

  • How to deal with CVE-2014-0221 ?

A denial of service flaw was found in the way OpenSSL handled certain DTLS ServerHello requests.
A specially crafted DTLS handshake packet could cause a DTLS client using OpenSSL to crash. 

Resolution

  • Red Hat security errata for Red Hat Enterprise Linux version 5 (openssl) was released via RHSA-2014:1053

  • Red Hat security errata for Red Hat Enterprise Linux version 6 (openssl) was released via RHSA-2014:0625

  • Red Hat security errata for Red Hat Enterprise Linux version 7 (openssl) was released via RHSA-2014:0679

  • Red Hat security errata for Red Hat Storage Server 2.1 (openssl) was released via RHSA-2014:0628

  • Red Hat security errata for Red Hat JBoss Enterprise Application Platform 6.3 was released via RHSA-2014:1021

  • Red Hat security errata for Red Hat JBoss Web Server 2.1 was released via RHSA-2014:1086

  • EWS 2.0.1 Apache for Windows and Solaris is affected by the CVE-2014-0221 as it uses the OpenSSL 0.9.8e. This is fixed in EWS 2.1.0. However, you should not be affected by this vulnerability unless you are using JBoss EWS Apache as a client to some other DTLS-using service that is untrusted/malicious. Therefore, the mitigation is to not connect to untrusted servers using DTLS.

Root Cause

  • The MITRE CVE dictionary describes this issue as: The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.

Diagnostic Steps

  • Check to see if a server endpoint accepts a DT. If this connects (you don't see a failed message) the server expects / allows for a DTLS connection (so it would be possible for a client to be vulnerable when connection to that endpoint).
     # echo 0 | openssl s_client -dtls1 -connect redhat.com:443 -debug

External References
openssl
mitre
NVD

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments