Bug 1152967 (CVE-2014-3568)

Summary: CVE-2014-3568 openssl: Build option no-ssl3 is incomplete
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aneelica, cdewolf, csutherl, dandread, darran.lofthouse, dknox, fnasser, gmurphy, huwang, jason.greene, jawilson, jclere, jdoyle, kkhan, lgao, mbabacek, myarboro, pgier, pslavice, rsvoboda, security-response-team, tmraz, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 0.9.8zc, openssl 1.0.0o, openssl 1.0.1j Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-15 09:47:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1153471, 1153473    
Bug Blocks: 1152790    

Description Huzaifa S. Sidhpurwala 2014-10-15 09:46:18 UTC
OpenSSL upstream reported the following security flaw:

When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.

OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

This issue was reported to OpenSSL by Akamai Technologies on 14th October 2014.

The fix was developed by Akamai and the OpenSSL team.

External Reference:

https://www.openssl.org/news/secadv_20141015.txt

Comment 1 Huzaifa S. Sidhpurwala 2014-10-15 09:47:45 UTC
Statement:

Not vulnerable. The versions of openssl package as shipped in Red Hat Enterprise Linux 5, 6 and 7; Red Hat JBoss Enterprise Application Platform 5 and 6; and Red Hat JBoss Enterprise Web Server 1 and 2 are not build with the "no-ssl3" option and therefore are not vulnerable to this security flaw.

Comment 3 Tomas Hoger 2014-10-15 19:45:42 UTC
Fixed upstream in OpenSSL versions 0.9.8zc, 1.0.0o and 1.0.1j:

https://www.openssl.org/news/secadv_20141015.txt