Rapid7 VulnDB

RHSA-2013:0587: openssl security update

Back to Search

RHSA-2013:0587: openssl security update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
02/08/2013
Created
07/25/2018
Added
03/05/2013
Modified
07/04/2017

Description

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)and Transport Layer Security (TLS v1) protocols, as well as afull-strength, general purpose cryptography library.It was discovered that OpenSSL leaked timing information when decryptingTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suiteswere used. A remote attacker could possibly use this flaw to retrieve plaintext from the encrypted packets by using a TLS/SSL or DTLS server as apadding oracle. (CVE-2013-0169)A NULL pointer dereference flaw was found in the OCSP response verificationin OpenSSL. A malicious OCSP server could use this flaw to crashapplications performing OCSP verification by sending a specially-craftedresponse. (CVE-2013-0166)It was discovered that the TLS/SSL protocol could leak information aboutplain text when optional compression was used. An attacker able to controlpart of the plain text sent over an encrypted TLS/SSL connection couldpossibly use this flaw to recover other portions of the plain text.(CVE-2012-4929)Note: This update disables zlib compression, which was previously enabledin OpenSSL by default. Applications using OpenSSL now need to explicitlyenable zlib compression to use it.It was found that OpenSSL read certain environment variables even when usedby a privileged (setuid or setgid) application. A local attacker could usethis flaw to escalate their privileges. No application shipped with Red HatEnterprise Linux 5 and 6 was affected by this problem. (BZ#839735)All OpenSSL users should upgrade to these updated packages, which containbackported patches to resolve these issues. For the update to take effect,all services linked to the OpenSSL library must be restarted, or thesystem rebooted.

Solution(s)

  • redhat-upgrade-openssl
  • redhat-upgrade-openssl-debuginfo
  • redhat-upgrade-openssl-devel
  • redhat-upgrade-openssl-perl
  • redhat-upgrade-openssl-static

References

  • redhat-upgrade-openssl
  • redhat-upgrade-openssl-debuginfo
  • redhat-upgrade-openssl-devel
  • redhat-upgrade-openssl-perl
  • redhat-upgrade-openssl-static

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;