This advisory is provided as a courtesy.
We would like to bring to your attention that some new security vulnerabilities on OpenSSL have been discovered. Some of the vulnerabilities with high severity includes memory corruption in the ASN.1 encoder (CVE-2016-2108) and padding oracle in AES-NI CBC MAC check (CVE-2016-2107).
These vulnerabilities affects most of the Linux operating systems such as Ubuntu, CentOS and Debian, since OpenSSL is included as a default package on the operating systems. If you are running vulnerable OS, we strongly recommend you to install the latest patches for your operating system to fix the vulnerability issue on your servelet.
Impact
CVE-2016-2108 is a bug on OpenSSL's ASN.1 encoder which allows attackers to trigger an out-of-bounds write, causing memory corruption that is potentially exploitable with some malloc implementations.
CVE-2016-2107 is an OpenSSL bug which allows a man-in-the-middle (MITM) attacker to use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.
Affected Server
Some operating systems affected by this vulnerability includes, but not limited to:
- Ubuntu Server 16.04 LTS
- Ubuntu Server 14.04 LTS
- Ubuntu Server 12.04 LTS
- CentOS 7
- CentOS 6
- Debian 8
- Debian 7
How to Fix the Problem
You just need to install the latest patches for your operating system, and restart your servelet afterwards for the new kernel patches to take effect.
On Ubuntu and Debian systems:
sudo apt-get update
sudo apt-get dist-upgrade
and then reboot the system.
On CentOS systems:
yum update
and then reboot the system.
More information
OpenSSL Security Advisory
USN-2959-1: OpenSSL vulnerabilities
Request Assistance
If needed, we can perform the patch installation for you at a one-time discounted fee of $10. Please submit your order at Order -> Additional Services -> Vulnerability Fix - LINUX & WINDOWS: Linux Kernel "Use-After-Free", OpenSSL, GNU C Library and Poodle SSLV3 Vulnerability - $10.
Or please first open a support ticket and give us the hostname, IP address and OS template. You can find this information on your servelet's control panel.
For example:
Hostname: test-dd
IP Address: 103.25.202.81
OS Template: CentOS 6.5 (64-bit) 20140123a
Thank you.
SimplerCloud Support Team