• Your cart is empty
  •  

SimplerCloud Pte Ltd

×
×

News: Security Advisory: OpenSSL Vulnerabilities

Published: 05/05/2016 Back

This advisory is provided as a courtesy.

We would like to bring to your attention that some new security vulnerabilities on OpenSSL have been discovered. Some of the vulnerabilities with high severity includes memory corruption in the ASN.1 encoder (CVE-2016-2108) and padding oracle in AES-NI CBC MAC check (CVE-2016-2107).


These vulnerabilities affects most of the Linux operating systems such as Ubuntu, CentOS and Debian, since OpenSSL is included as a default package on the operating systems. If you are running vulnerable OS, we strongly recommend you to install the latest patches for your operating system to fix the vulnerability issue on your servelet.


Impact


CVE-2016-2108 is a bug on OpenSSL's ASN.1 encoder which allows attackers to trigger an out-of-bounds write, causing memory corruption that is potentially exploitable with some malloc implementations.


CVE-2016-2107 is an OpenSSL bug which allows a man-in-the-middle (MITM) attacker to use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.


Affected Server


Some operating systems affected by this vulnerability includes, but not limited to:


- Ubuntu Server 16.04 LTS
- Ubuntu Server 14.04 LTS
- Ubuntu Server 12.04 LTS
- CentOS 7
- CentOS 6
- Debian 8
- Debian 7

How to Fix the Problem


You just need to install the latest patches for your operating system, and restart your servelet afterwards for the new kernel patches to take effect.


On Ubuntu and Debian systems:


sudo apt-get update
sudo apt-get dist-upgrade

and then reboot the system.

On CentOS systems:

yum update

and then reboot the system.


More information


OpenSSL Security Advisory
USN-2959-1: OpenSSL vulnerabilities


Request Assistance


If needed, we can perform the patch installation for you at a one-time discounted fee of $10. Please submit your order at Order -> Additional Services -> Vulnerability Fix - LINUX & WINDOWS: Linux Kernel "Use-After-Free", OpenSSL, GNU C Library and Poodle SSLV3 Vulnerability - $10.

Or please first open a support ticket and give us the hostname, IP address and OS template. You can find this information on your servelet's control panel.

For example:

Hostname: test-dd
IP Address: 103.25.202.81
OS Template: CentOS 6.5 (64-bit) 20140123a

Thank you.

SimplerCloud Support Team