OpenSSL: Alternative chains certificate forgery vulnerability (CVE-2015-1793)

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux 4, 5, 6, 7
  • Red Hat JBoss Enterprise Application Platform (EAP) 5, 6
  • Red Hat JBoss Enterprise Web Server (EWS) 1, 2
  • Red Hat JBoss Web Server (JWS) 3
  • Inktank Ceph Enterprise (ICE) 1
  • Red Hat Storage Console
  • Red Hat Enterprise Virtualization

Issue

Resolution

  • No Red Hat products are affected by the CVE-2015-1793 flaw. No actions need to be performed to fix or mitigate this issue in any way.

Root Cause

  • The OpenSSL project has published information about an important vulnerability (CVE-2015-1793) affecting openssl versions 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c.
  • These upstream versions have only been available for a month, and given Red Hat's policy of performing careful backports of important bug fixes and selected features, this functionality is not present in any version of OpenSSL shipped in any Red Hat product.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.