Resolution for CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176 (OpenSSL May 3, 2016)

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • Red Hat JBoss Web Server 2 for RHEL 6/RHEL 7
  • Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
  • Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
  • openssl, openssl097a, openssl098e

Issue

  • On 3 May 2016, the OpenSSL project team announced the release of OpenSSL versions 1.0.2h, 1.0.1t. These new versions of the OpenSSL toolkit fix several security issues, which have been rated by the Red Hat Product Security team as having a Moderate/Important/Low impact.
  • What Red Hat products and distributed versions of OpenSSL are affected?
  • openssl: EVP_EncodeUpdate overflow (CVE-2016-2105)
  • openssl: EVP_EncryptUpdate overflow (CVE-2016-2106)
  • openssl: Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
  • openssl: Memory corruption in the ASN.1 encoder (CVE-2016-2108)
  • openssl: ASN.1 BIO handling of large amounts of data (CVE-2016-2109)
  • openssl: EBCDIC overread in X509_NAME_oneline() (CVE-2016-2176)

Resolution

Red Hat Enterprise Linux are affected by these CVEs.
This issue will be addressed in the following openssl updates: (At this moment, Red Hat Security Team is working on it)

CVE Impact BZ Platform Errata Package State
CVE-2016-2105 Moderate 1331441 Red Hat Enterprise Linux 7 RHSA-2016-0722 openssl-1.0.1e-51.el7_2.5 Released
Red Hat Enterprise Linux 7 - openssl098e Will not fix
Red Hat Enterprise Linux 6 RHSA-2016-0996 openssl-1.0.1e-48.el6_8.1 Released
Red Hat Enterprise Linux 6.7.z RHSA-2016-2073 openssl-1.0.1e-42.el6_7.5 Released
Red Hat Enterprise Linux 6 - openssl098e Will not fix
Red Hat Enterprise Linux 5 - openssl Will not fix
Red Hat Enterprise Linux 5 - openssl097a Will not fix
JBoss Enterprise Web Server 2 for RHEL 7
JBoss Enterprise Application Platform 6.3 for RHEL 7
RHSA-2016-1648
RHSA-2016-2054
httpd22-2.2.26-56.ep6.el7 Released
JBoss Enterprise Web Server 2 for RHEL 6
JBoss Enterprise Application Platform 6 for RHEL 6
RHSA-2016-1649
RHSA-2016-2055
httpd-2.2.26-54.ep6.el6 Released
CVE-2016-2106 Moderate 1331536 Red Hat Enterprise Linux 7 RHSA-2016-0722 openssl-1.0.1e-51.el7_2.5 Released
Red Hat Enterprise Linux 7 - openssl098e Will not fix
Red Hat Enterprise Linux 6 RHSA-2016-0996 openssl-1.0.1e-48.el6_8.1 Released
Red Hat Enterprise Linux 6.7.z RHSA-2016-2073 openssl-1.0.1e-42.el6_7.5 Released
Red Hat Enterprise Linux 6 - openssl098e Will not fix
Red Hat Enterprise Linux 5 - openssl Will not fix
Red Hat Enterprise Linux 5 - openssl097a Will not fix
JBoss Enterprise Web Server 2 for RHEL 7
JBoss Enterprise Application Platform 6.3 for RHEL 7
RHSA-2016-1648
RHSA-2016-2054
httpd22-2.2.26-56.ep6.el7 Released
JBoss Enterprise Web Server 2 for RHEL 6
JBoss Enterprise Application Platform 6 for RHEL 6
RHSA-2016-1649
RHSA-2016-2055
httpd-2.2.26-54.ep6.el6 Released
CVE-2016-2107 Moderate 1331426 Red Hat Enterprise Linux 7 RHSA-2016-0722 openssl-1.0.1e-51.el7_2.5 Released
Red Hat Enterprise Linux 7 - openssl098e Not affected
Red Hat Enterprise Linux 6 RHSA-2016-0996 openssl-1.0.1e-48.el6_8.1 Released
Red Hat Enterprise Linux 6.7.z RHSA-2016-2073 openssl-1.0.1e-42.el6_7.5 Released
Red Hat Enterprise Linux 6 - openssl098e Not affected
Red Hat Enterprise Linux 5 - openssl Not affected
Red Hat Enterprise Linux 5 - openssl097a Not affected
CVE-2016-2108 Important 1331402 Red Hat Enterprise Linux 7 RHSA-2016-0722 openssl-1.0.1e-51.el7_2.5 Released
Red Hat Enterprise Linux 7 - openssl098e Will not fix
Red Hat Enterprise Linux 6 RHSA-2016-0996 openssl-1.0.1e-48.el6_8.1 Released
Red Hat Enterprise Linux 6.7.z RHSA-2016-2073 openssl-1.0.1e-42.el6_7.5 Released
Red Hat Enterprise Linux 6 - openssl098e Will not fix
Red Hat Enterprise Linux 5 RHSA-2016-1137 openssl-0.9.8e-40.el5_11 Released
Red Hat Enterprise Linux 5 - openssl097a Will not fix
CVE-2016-2109 Low 1330101 Red Hat Enterprise Linux 7 RHSA-2016-0722 openssl-1.0.1e-51.el7_2.5 Released
Red Hat Enterprise Linux 7 - openssl098e Will not fix
Red Hat Enterprise Linux 6 RHSA-2016-0996 openssl-1.0.1e-48.el6_8.1 Released
Red Hat Enterprise Linux 6.7.z RHSA-2016-2073 openssl-1.0.1e-42.el6_7.5 Released
Red Hat Enterprise Linux 6 - openssl098e Will not fix
Red Hat Enterprise Linux 5 - openssl Will not fix
Red Hat Enterprise Linux 5 - openssl097a Will not fix
JBoss Enterprise Application Platform 6.3 for RHEL 7 RHSA-2016-2054 httpd22-2.2.26-56.ep6.el7 Released
JBoss Enterprise Application Platform 6 for RHEL 6 RHSA-2016-2055 httpd-2.2.26-54.ep6.el6 Released
CVE-2016-2176 Low 1331563 Red Hat Enterprise Linux 7 - openssl Not affected
Red Hat Enterprise Linux 7 - openssl098e Not affected
Red Hat Enterprise Linux 6 - openssl Not affected
Red Hat Enterprise Linux 6 - openssl098e Not affected
Red Hat Enterprise Linux 5 - openssl Not affected
Red Hat Enterprise Linux 5 - openssl097a Not affected

NOTE : The version of openssl097a as shipped with Red Hat Enterprise Linux 5 is also affected on some CVEs. As Red Hat Enterprise Linux 5 is now in the Production 3 phase of the support and maintenance life cycle, during which only Critical security advisories are provided, this issue is currently not planned to be addressed in future updates.

Root Cause

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

3 Comments

Just curious why do we have to wait so long for a fix? I know Q/A and such, but imho it takes to long.

Oke so Redhat is listening to it's customers :-) 15 minutes after my post I received the official advisory :-)

Trying to compile from source, at make test, got this error.

/usr/bin/perl cms-test.pl CMS => PKCS#7 compatibility tests signed content DER format, RSA key: verify error make[1]: *** [test_cms] Error 1 make[1]: Leaving directory `/root/src/openssl-1.0.1t/test' make: *** [tests] Error 2

any idea how to fix?

series of command.

./config shared make depend make test