How To Patch and Protect OpenSSL Vulnerability # CVE-2015-0291 CVE-2015-0204 [ 19/March/2015 ]

On 19th March 2015, multiple high and moderate severity level vulnerabilities released in OpenSSL, a Secure Sockets Layer toolkit used in a Linux and Unix-like systems. How can I fix these vulnerabilities on a CentOS/RHEL/Ubuntu and Debian Linux based server for OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf.? How do I verify that my Linux server has been fixed against the OpenSSL vulnerability?

A serious security problem has been found and patched in the OpenSSL Library. Multiple vulnerabilities have been discovered in OpenSSL on 19/March/2015. The Common Vulnerabilities and exposures project identifies the following issues:[donotprint]
Tutorial details
DifficultyIntermediate (rss)
Root privilegesYes
RequirementsNone
Time5m
[/donotprint]

ADVERTISEMENTS

  1. OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) – Severity: High
  2. Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) – Severity: High
  3. Multiblock corrupted pointer (CVE-2015-0290) – Severity: Moderate
  4. Segmentation fault in DTLSv1_listen (CVE-2015-0207) – Severity: Moderate
  5. Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) – Severity: Moderate
  6. Segmentation fault for invalid PSS parameters (CVE-2015-0208) – Severity: Moderate
  7. ASN.1 structure reuse memory corruption (CVE-2015-0287) – Severity: Moderate
  8. PKCS7 NULL pointer dereferences (CVE-2015-0289) – Severity: Moderate
  9. Base64 decode (CVE-2015-0292) – Severity: Moderate
  10. DoS via reachable assert in SSLv2 servers (CVE-2015-0293) – Severity: Moderate
  11. Empty CKE with client auth and DHE (CVE-2015-1787) – Severity: Moderate
  12. Handshake with unseeded PRNG (CVE-2015-0285) – Severity: Low
  13. Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) Severity: Low
  14. X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) Severity: Low

How bad will this actually be?

It is not bad as the heartbleed openssl bug disclosed in April 2014 in the OpenSSL cryptography library. But, new bug can cause “Denial of Service” and crash your services. It is good security practice, to quickly apply the patched version on your system and restart the affected services.

How to find openssl version on a Linux?

The syntax is as follows:

Find openssl version on a CentOS/RHEL/SL/Fedora Linux

openssl version
## or ##
sudo yum list installed openssl

Sample outputs:

Fig.01: How to RHEL/CentOS/Fedora Linux Find OpenSSL Version Command

Fig.01: How to RHEL/CentOS/Fedora Linux Find OpenSSL Version Command

Find openssl version on a Debian/Ubuntu Linux

openssl version
## or ##
sudo dpkg -l | egrep  '^ii.*openssl'

Sample outputs:

Fig.02: How to Debian/Ubuntu Linux Find OpenSSL Version Command

Fig.02: How to Debian/Ubuntu Linux Find OpenSSL Version Command

A list of affected Linux distros

I recommend that you upgrade your openssl packages ASAP to avoid any security issues on both client and server systems powered by Linux based distro.

  • RHEL version 6.x
  • RHEL version 7.x
  • CentoS Linux version 6.x
  • CentoS Linux version 7.x
  • Debian Linux stable (wheezy) 7.x
  • Ubuntu Linux 14.10
  • Ubuntu Linux 14.04 LTS
  • Ubuntu Linux 12.04 LTS
  • Ubuntu Linux 10.04 LTS

How to patch on a Linux?

Type the following commands as per your distro version/type:

## how do I find out my distro version? ##
lsb_release -a
## or use ## 
cat /etc/*-release

Sample outputs:

Gif 01: HowTo: Find Out My Linux Distribution Name and Version

Gif 01: HowTo: Find Out My Linux Distribution Name and Version

CentOS/RHEL/Fedora Linux

Type the following yum command to patch openssl as root user to patch openssl:

sudo yum clean all

To install the updates, use the yum command as follows:

sudo yum update

To only update the OpenSSL package and its dependencies, use the following yum command:

sudo yum update openssl

Sample outputs:

Loaded plugins: auto-update-debuginfo, protectbase, rhnplugin, security
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Update Process
epel-debuginfo/metalink                                  |  13 kB     00:00     
rhel-x86_64-server-6                                     | 1.5 kB     00:00     
rhel-x86_64-server-6/primary                             |  21 MB     00:05     
rhel-x86_64-server-6                                                14680/14680
rhel-x86_64-server-6-debuginfo                           | 1.3 kB     00:00     
rhel-x86_64-server-6-debuginfo/primary                   | 1.1 MB     00:00     
rhel-x86_64-server-6-debuginfo                                        5939/5939
rhel-x86_64-server-optional-6                            | 1.5 kB     00:00     
rhel-x86_64-server-optional-6/primary                    | 2.0 MB     00:00     
rhel-x86_64-server-optional-6                                         8239/8239
rhel-x86_64-server-optional-6-debuginfo                  | 1.3 kB     00:00     
rhel-x86_64-server-optional-6-debuginfo/primary          | 681 kB     00:00     
rhel-x86_64-server-optional-6-debuginfo                               3571/3571
0 packages excluded due to repository protections
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-30.el6_6.5 will be updated
--> Processing Dependency: openssl = 1.0.1e-30.el6_6.5 for package: openssl-devel-1.0.1e-30.el6_6.5.x86_64
---> Package openssl.x86_64 0:1.0.1e-30.el6_6.7 will be an update
--> Running transaction check
---> Package openssl-devel.x86_64 0:1.0.1e-30.el6_6.5 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-30.el6_6.7 will be an update
--> Finished Dependency Resolution
 
Dependencies Resolved
 
================================================================================
 Package          Arch      Version               Repository               Size
================================================================================
Updating:
 openssl          x86_64    1.0.1e-30.el6_6.7     rhel-x86_64-server-6    1.5 M
Updating for dependencies:
 openssl-devel    x86_64    1.0.1e-30.el6_6.7     rhel-x86_64-server-6    1.2 M
 
Transaction Summary
================================================================================
Upgrade       2 Package(s)
 
Total download size: 2.7 M
Is this ok [y/N]: n
Exiting on user Command
[root@txvip1 ~]# 
[root@txvip1 ~]# yum update openssl
Loaded plugins: auto-update-debuginfo, protectbase, rhnplugin, security
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Update Process
0 packages excluded due to repository protections
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-30.el6_6.5 will be updated
--> Processing Dependency: openssl = 1.0.1e-30.el6_6.5 for package: openssl-devel-1.0.1e-30.el6_6.5.x86_64
---> Package openssl.x86_64 0:1.0.1e-30.el6_6.7 will be an update
--> Running transaction check
---> Package openssl-devel.x86_64 0:1.0.1e-30.el6_6.5 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-30.el6_6.7 will be an update
--> Finished Dependency Resolution
 
Dependencies Resolved
 
============================================================================================
 Package             Arch         Version                  Repository                  Size
============================================================================================
Updating:
 openssl             x86_64       1.0.1e-30.el6_6.7        rhel-x86_64-server-6       1.5 M
Updating for dependencies:
 openssl-devel       x86_64       1.0.1e-30.el6_6.7        rhel-x86_64-server-6       1.2 M
 
Transaction Summary
============================================================================================
Upgrade       2 Package(s)
 
Total download size: 2.7 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): openssl-1.0.1e-30.el6_6.7.x86_64.rpm                          | 1.5 MB     00:00     
(2/2): openssl-devel-1.0.1e-30.el6_6.7.x86_64.rpm                    | 1.2 MB     00:00     
--------------------------------------------------------------------------------------------
Total                                                       6.4 MB/s | 2.7 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : openssl-1.0.1e-30.el6_6.7.x86_64                                         1/4 
  Updating   : openssl-devel-1.0.1e-30.el6_6.7.x86_64                                   2/4 
  Cleanup    : openssl-devel-1.0.1e-30.el6_6.5.x86_64                                   3/4 
  Cleanup    : openssl-1.0.1e-30.el6_6.5.x86_64                                         4/4 
  Verifying  : openssl-1.0.1e-30.el6_6.7.x86_64                                         1/4 
  Verifying  : openssl-devel-1.0.1e-30.el6_6.7.x86_64                                   2/4 
  Verifying  : openssl-1.0.1e-30.el6_6.5.x86_64                                         3/4 
  Verifying  : openssl-devel-1.0.1e-30.el6_6.5.x86_64                                   4/4 
 
Updated:
  openssl.x86_64 0:1.0.1e-30.el6_6.7                                                        
 
Dependency Updated:
  openssl-devel.x86_64 0:1.0.1e-30.el6_6.7                                                  
 
Complete!

Debian/Ubuntu Linux

Type the following apt-get commands to patch openssl as root user to patch openssl:

sudo apt-get update
sudo apt-get upgrade

Sample outputs:

Fig.04: OpenSSL patched on a Ubuntu Linux

Fig.04: OpenSSL patched on a Ubuntu Linux

Do I need to reboot my server/laptop/computer powered by Linux?

Short answer – yes, you need to reboot your computer/server to make all the necessary changes. Sysadmin should plan on updating as soon as possible or use maintenance reboot window:

sudo reboot

Long answer – It depends. You can avoid reboot by restarting required services. Fist, find all services that depend on the OpenSSL libraries, and restart them one-by-one using the service command:

### Debian/Ubuntu find out if service needed reboot ##
checkrestart -v
 
## Generic method ##
lsof | grep libssl | awk '{print $1}' | sort | uniq

Sample outputs:

hhvm
mysqld
nginx
php5-fpm

Restart the above services one-by-one, run:

sudo service restart hhvm restart
sudo service restart mysqld restart
sudo service restart nginx restart
sudo service restart php5-fpm restart
References
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
8 comments… add one
  • Carla Crystoper Mar 20, 2015 @ 9:48

    Thank you for bringing it to attention! I do not have “hhvm” service??? What is the purpose of hhvm on a Ubuntu LTS?

    • 🐧 nixCraft Mar 20, 2015 @ 9:49

      HHVM is an open-source virtual machine designed for executing programs written in Hack and PHP. More info:
      http://hhvm.com

  • Gremble Mar 20, 2015 @ 10:07

    In the section Debian/Ubuntu, you have ‘sudo yum upgrade’ I believe you meant ‘sudo apt-get upgrade’.

    • 🐧 nixCraft Mar 20, 2015 @ 10:34

      Hi Gremble,

      Thanks for the heads up! I updated tutorials to reflect that!!

  • Fred Mar 20, 2015 @ 11:09

    Thanks for the tutorial. CentOS 7 repos don’t appear to have a newer openssl than 1.0.1e-fips as of yet (20 Mar). Am I missing something?

    Thanks for the tip re: dependent services. I was wondering how I could determine that yum depends on python 2.6 for example. I tried lsof | grep python | awk ‘{print $1}’ | sort | uniq, but yum is not listed. What would be the best way to find the programs that depend on a particular version of python?
    Thanks.

    • 🐧 nixCraft Mar 20, 2015 @ 11:20

      Hi Fred,

      The yum command is not background service or a daemon. So you will not get any info about it. lsof hack is only useful for a daemon such as Apache/Nginx/Lighttpd/MySQL/squid and more.

      HTH

  • Headly Mar 20, 2015 @ 16:43

    This problem was fixed in Ubuntu 12.04 with version 1.0.1-4ubuntu5.25.
    And in Ubuntu 14.04 by version 1.0.1f-1ubuntu2.11.
    The dates on the changelogs were March 19th for the latest versions.

    But, thanks for bringing this to my attention.

  • ccruzado Mar 26, 2015 @ 22:23

    I have a windows server with XAMP and I dont know how update, can help me?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.