rhsa-2014_1692
Vulnerability from csaf_redhat
Published
2014-10-22 17:15
Modified
2024-11-05 18:39
Summary
Red Hat Security Advisory: openssl security update
Notes
Topic
Updated openssl packages that contain a backported patch to mitigate the
CVE-2014-3566 issue and fix two security issues are now available for Red
Hat Storage 2.1.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose cryptography
library.
This update adds support for the TLS Fallback Signaling Cipher Suite Value
(TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade
attacks against applications which re-connect using a lower SSL/TLS
protocol version when the initial connection indicating the highest
supported protocol version fails.
This can prevent a forceful downgrade of the communication to SSL 3.0.
The SSL 3.0 protocol was found to be vulnerable to the padding oracle
attack when using block cipher suites in cipher block chaining (CBC) mode.
This issue is identified as CVE-2014-3566, and also known under the alias
POODLE. This SSL 3.0 protocol flaw will not be addressed in a future
update; it is recommended that users configure their applications to
require at least TLS protocol version 1.0 for secure communication.
For additional information about this flaw, see the Knowledgebase article
at https://access.redhat.com/articles/1232123
A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure
Real-time Transport Protocol (SRTP) extension data. A remote attacker could
send multiple specially crafted handshake messages to exhaust all available
memory of an SSL/TLS or DTLS server. (CVE-2014-3513)
A memory leak flaw was found in the way an OpenSSL handled failed session
ticket integrity checks. A remote attacker could exhaust all available
memory of an SSL/TLS or DTLS server by sending a large number of invalid
session tickets to that server. (CVE-2014-3567)
All OpenSSL users are advised to upgrade to these updated packages, which
contain backported patches to mitigate the CVE-2014-3566 issue and correct
the CVE-2014-3513 and CVE-2014-3567 issues. For the update to take effect,
all services linked to the OpenSSL library (such as httpd and other
SSL-enabled services) must be restarted or the system rebooted.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated openssl packages that contain a backported patch to mitigate the\nCVE-2014-3566 issue and fix two security issues are now available for Red\nHat Storage 2.1.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", "title": "Topic" }, { "category": "general", "text": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),\nTransport Layer Security (TLS), and Datagram Transport Layer Security\n(DTLS) protocols, as well as a full-strength, general purpose cryptography\nlibrary.\n\nThis update adds support for the TLS Fallback Signaling Cipher Suite Value\n(TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade\nattacks against applications which re-connect using a lower SSL/TLS\nprotocol version when the initial connection indicating the highest\nsupported protocol version fails.\n\nThis can prevent a forceful downgrade of the communication to SSL 3.0.\nThe SSL 3.0 protocol was found to be vulnerable to the padding oracle\nattack when using block cipher suites in cipher block chaining (CBC) mode.\nThis issue is identified as CVE-2014-3566, and also known under the alias\nPOODLE. This SSL 3.0 protocol flaw will not be addressed in a future\nupdate; it is recommended that users configure their applications to\nrequire at least TLS protocol version 1.0 for secure communication.\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1232123\n\nA memory leak flaw was found in the way OpenSSL parsed the DTLS Secure\nReal-time Transport Protocol (SRTP) extension data. A remote attacker could\nsend multiple specially crafted handshake messages to exhaust all available\nmemory of an SSL/TLS or DTLS server. (CVE-2014-3513)\n\nA memory leak flaw was found in the way an OpenSSL handled failed session\nticket integrity checks. A remote attacker could exhaust all available\nmemory of an SSL/TLS or DTLS server by sending a large number of invalid\nsession tickets to that server. (CVE-2014-3567)\n\nAll OpenSSL users are advised to upgrade to these updated packages, which\ncontain backported patches to mitigate the CVE-2014-3566 issue and correct\nthe CVE-2014-3513 and CVE-2014-3567 issues. For the update to take effect,\nall services linked to the OpenSSL library (such as httpd and other\nSSL-enabled services) must be restarted or the system rebooted.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2014:1692", "url": "https://access.redhat.com/errata/RHSA-2014:1692" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/articles/1232123", "url": "https://access.redhat.com/articles/1232123" }, { "category": "external", "summary": "1152789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1152789" }, { "category": "external", "summary": "1152953", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1152953" }, { "category": "external", "summary": "1152961", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1152961" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1692.json" } ], "title": "Red Hat Security Advisory: openssl security update", "tracking": { "current_release_date": "2024-11-05T18:39:34+00:00", "generator": { "date": "2024-11-05T18:39:34+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2014:1692", "initial_release_date": "2014-10-22T17:15:52+00:00", "revision_history": [ { "date": "2014-10-22T17:15:52+00:00", "number": "1", "summary": "Initial version" }, { "date": "2014-10-22T17:15:52+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-05T18:39:34+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Storage Server 2.1", "product": { "name": "Red Hat Storage Server 2.1", "product_id": "6Server-RHS-6.4.z", "product_identification_helper": { "cpe": "cpe:/a:redhat:storage:2.1:server:el6" } } } ], "category": "product_family", "name": "Red Hat Gluster Storage" }, { "branches": [ { "category": "product_version", "name": "openssl-static-0:1.0.1e-30.el6_6.2.x86_64", "product": { "name": "openssl-static-0:1.0.1e-30.el6_6.2.x86_64", "product_id": "openssl-static-0:1.0.1e-30.el6_6.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openssl-static@1.0.1e-30.el6_6.2?arch=x86_64" } } }, { "category": "product_version", "name": "openssl-debuginfo-0:1.0.1e-30.el6_6.2.x86_64", "product": { "name": "openssl-debuginfo-0:1.0.1e-30.el6_6.2.x86_64", "product_id": "openssl-debuginfo-0:1.0.1e-30.el6_6.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openssl-debuginfo@1.0.1e-30.el6_6.2?arch=x86_64" } } }, { "category": "product_version", "name": "openssl-devel-0:1.0.1e-30.el6_6.2.x86_64", "product": { "name": "openssl-devel-0:1.0.1e-30.el6_6.2.x86_64", "product_id": "openssl-devel-0:1.0.1e-30.el6_6.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openssl-devel@1.0.1e-30.el6_6.2?arch=x86_64" } } }, { "category": "product_version", "name": "openssl-perl-0:1.0.1e-30.el6_6.2.x86_64", "product": { "name": "openssl-perl-0:1.0.1e-30.el6_6.2.x86_64", "product_id": "openssl-perl-0:1.0.1e-30.el6_6.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openssl-perl@1.0.1e-30.el6_6.2?arch=x86_64" } } }, { "category": "product_version", "name": "openssl-0:1.0.1e-30.el6_6.2.x86_64", "product": { "name": "openssl-0:1.0.1e-30.el6_6.2.x86_64", "product_id": "openssl-0:1.0.1e-30.el6_6.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openssl@1.0.1e-30.el6_6.2?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "openssl-0:1.0.1e-30.el6_6.2.src", "product": { "name": "openssl-0:1.0.1e-30.el6_6.2.src", "product_id": "openssl-0:1.0.1e-30.el6_6.2.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openssl@1.0.1e-30.el6_6.2?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openssl-0:1.0.1e-30.el6_6.2.src as a component of Red Hat Storage Server 2.1", "product_id": "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.src" }, "product_reference": "openssl-0:1.0.1e-30.el6_6.2.src", "relates_to_product_reference": "6Server-RHS-6.4.z" }, { "category": "default_component_of", "full_product_name": { "name": "openssl-0:1.0.1e-30.el6_6.2.x86_64 as a component of Red Hat Storage Server 2.1", "product_id": "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.x86_64" }, "product_reference": "openssl-0:1.0.1e-30.el6_6.2.x86_64", "relates_to_product_reference": "6Server-RHS-6.4.z" }, { "category": "default_component_of", "full_product_name": { "name": "openssl-debuginfo-0:1.0.1e-30.el6_6.2.x86_64 as a component of Red Hat Storage Server 2.1", "product_id": "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.2.x86_64" }, "product_reference": "openssl-debuginfo-0:1.0.1e-30.el6_6.2.x86_64", "relates_to_product_reference": "6Server-RHS-6.4.z" }, { "category": "default_component_of", "full_product_name": { "name": "openssl-devel-0:1.0.1e-30.el6_6.2.x86_64 as a component of Red Hat Storage Server 2.1", "product_id": "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.2.x86_64" }, "product_reference": "openssl-devel-0:1.0.1e-30.el6_6.2.x86_64", "relates_to_product_reference": "6Server-RHS-6.4.z" }, { "category": "default_component_of", "full_product_name": { "name": "openssl-perl-0:1.0.1e-30.el6_6.2.x86_64 as a component of Red Hat Storage Server 2.1", "product_id": "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.2.x86_64" }, "product_reference": "openssl-perl-0:1.0.1e-30.el6_6.2.x86_64", "relates_to_product_reference": "6Server-RHS-6.4.z" }, { "category": "default_component_of", "full_product_name": { "name": "openssl-static-0:1.0.1e-30.el6_6.2.x86_64 as a component of Red Hat Storage Server 2.1", "product_id": "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.2.x86_64" }, "product_reference": "openssl-static-0:1.0.1e-30.el6_6.2.x86_64", "relates_to_product_reference": "6Server-RHS-6.4.z" } ] }, "vulnerabilities": [ { "cve": "CVE-2014-3513", "cwe": { "id": "CWE-401", "name": "Missing Release of Memory after Effective Lifetime" }, "discovery_date": "2014-10-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1152953" } ], "notes": [ { "category": "description", "text": "A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol (SRTP) extension data. A remote attacker could send multiple specially crafted handshake messages to exhaust all available memory of an SSL/TLS or DTLS server.", "title": "Vulnerability description" }, { "category": "summary", "text": "openssl: SRTP memory leak causes crash when using specially-crafted handshake message", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 5, Red Hat JBoss Enterprise Application Platform 5 and 6, and Red Hat Enterprise JBoss Enterprise Web Server 1 and 2.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.src", "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-3513" }, { "category": "external", "summary": "RHBZ#1152953", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1152953" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3513", "url": "https://www.cve.org/CVERecord?id=CVE-2014-3513" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3513", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3513" }, { "category": "external", "summary": "https://www.openssl.org/news/secadv_20141015.txt", "url": "https://www.openssl.org/news/secadv_20141015.txt" } ], "release_date": "2014-10-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-10-22T17:15:52+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.src", "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.2.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:1692" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "products": [ "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.src", "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "openssl: SRTP memory leak causes crash when using specially-crafted handshake message" }, { "cve": "CVE-2014-3567", "cwe": { "id": "CWE-401", "name": "Missing Release of Memory after Effective Lifetime" }, "discovery_date": "2014-10-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1152961" } ], "notes": [ { "category": "description", "text": "A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server.", "title": "Vulnerability description" }, { "category": "summary", "text": "openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue does not affect the version of openssl shipped with Red Hat Enterprise Linux 5; Red Hat JBoss Enterprise Application Server 5 and 6; and Red Hat JBoss Enterprise Web Server 1 and 2 because openssl-0.9.8e does not include support for session tickets.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.src", "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-3567" }, { "category": "external", "summary": "RHBZ#1152961", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1152961" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3567", "url": "https://www.cve.org/CVERecord?id=CVE-2014-3567" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3567", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3567" }, { "category": "external", "summary": "https://www.openssl.org/news/secadv_20141015.txt", "url": "https://www.openssl.org/news/secadv_20141015.txt" } ], "release_date": "2014-10-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-10-22T17:15:52+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.src", "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.2.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:1692" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0" }, "products": [ "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.src", "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.2.x86_64", "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash" } ] }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.