Bug 1310593 (CVE-2016-0800, DROWN)
Summary: | CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | asantos, bbaranow, bmaxwell, cdewolf, chazlett, crrobins, csutherl, dandread, darran.lofthouse, dfediuck, dknox, dlawrenc, fdeutsch, fnasser, huwang, jason.greene, jawilson, jclere, jdoyle, jgreguske, jshepherd, lgao, mbabacek, miburman, myarboro, pachoramos1, pdwyer, pgier, pkliczew, pmatouse, psakar, pslavice, redhat-bugzilla, rhatlapa, rnetuka, rsvoboda, sardella, security-response-team, sherold, slawomir, slong, spinder, theute, tmraz, twalsh, vtunka, weli | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | openssl 1.0.1s, openssl 1.0.2g | Doc Type: | Bug Fix | ||||
Doc Text: |
A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-05-25 19:43:20 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1301848, 1301849, 1301850, 1301851, 1301852, 1311103, 1311104, 1311478, 1311479, 1311480, 1311481, 1311482, 1311483, 1311484, 1311867, 1312239, 1312240, 1312891, 1312892, 1313366, 1313378, 1313595, 1313598, 1313619, 1314097, 1314718, 1314719, 1314720, 1314721 | ||||||
Bug Blocks: | 1301847 | ||||||
Attachments: |
|
Description
Huzaifa S. Sidhpurwala
2016-02-22 10:24:03 UTC
Created attachment 1129416 [details]
OpenSSL upstream patch
External References: https://access.redhat.com/articles/2176731 https://www.openssl.org/news/secadv/20160301.txt https://www.drownattack.com/ Acknowledgments: Name: the OpenSSL project Upstream: Nimrod Aviram, Sebastian Schinzel Comment on attachment 1129416 [details] OpenSSL upstream patch (In reply to Adam Mariš from comment #1) The OpenSSL upstream patch includes multiple changes: * SSLv2 is now disabled by default at compile time, which makes it impossible to use SSLv2 via both SSLv2 and SSLv23 connection methods. Previously, it was possible to build OpenSSL without SSLv2 support by using "no-ssl2" configure option. That was now made the default and "enable-ssl2" configure option now needs to be provided to enable SSLv2 support. * When OpenSSL is built with SSLv2 support, SSLv2 is now disabled by default when using SSLv23 connection methods (SSLv23_method(), SSLv23_server_method(), SSLv23_client_method() - see SSL_CTX_new manual page). To use SSLv2 with SSLv23 connection methods, applications now need to explicitly clear SSL_OP_NO_SSLv2 option on SSL_CTX or SSL objects using SSL_CTX_clear_options() or SSL_clear_options(). The SSLv2 connection methods are not affected by this change. Note that openssl packages in Fedora 21 and later already have SSLv2 disabled by default when using SSLv23 methods. In Fedora 22 and later, SSLv3 is disabled by default as well. http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/commit/openssl-1.0.1h-disable-sslv2v3.patch?h=f22&id=646646611547dd7072b0562ed5f27861fbb12f48 * Weak (40bit EXPORT and 56bit DES) SSLv2 cipher support was removed. The following ciphers are no longer available: - EXP-RC2-CBC-MD5 / SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 - EXP-RC4-MD5 / SSL_CK_RC4_128_EXPORT40_WITH_MD5 - DES-CBC-MD5 / SSL_CK_DES_64_CBC_WITH_MD5 * Weak (EXPORT and LOW) SSLv3 cipher support is not compiled in unless OpenSSL is built with "enable-weak-ssl-ciphers" configure option. Updates in Red Hat products include changes to SSLv23 connection methods and remove weak SSLv2 ciphers. Refer to knowledge base article 2176731 (see comment 3 above) for further details. Statement: (none) The site for this issue: https://www.drownattack.com/ Technical details can be found in the published paper "DROWN: Breaking TLS using SSLv2": https://www.drownattack.com/drown-attack-paper.pdf OpenSSL advisory: https://www.openssl.org/news/secadv/20160301.txt Related OpenSSL upstream commits: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=56f1acf5ef8a432992497a04792ff4b3b2c6f286 https://git.openssl.org/?p=openssl.git;a=commitdiff;h=a82cfd612b30258c7d720153298846727b06b046 https://git.openssl.org/?p=openssl.git;a=commitdiff;h=abd5d8fbef7085499ba7785622da4e8288068f46 OpenSSL upstream blog post: https://openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/ Mark Cox's (Red Hat Product Security) blog post: https://access.redhat.com/blogs/product-security/posts/drown This issue has been addressed in the following products: Red Hat Enterprise Linux 4 Extended Lifecycle Support Via RHSA-2016:0306 https://rhn.redhat.com/errata/RHSA-2016-0306.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5.6 Long Life Red Hat Enterprise Linux 5.9 Long Life Via RHSA-2016:0304 https://rhn.redhat.com/errata/RHSA-2016-0304.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6.2 Advanced Update Support Red Hat Enterprise Linux 6.5 Advanced Update Support Red Hat Enterprise Linux 6.4 Advanced Update Support Via RHSA-2016:0303 https://rhn.redhat.com/errata/RHSA-2016-0303.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2016:0302 https://rhn.redhat.com/errata/RHSA-2016-0302.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7.1 Extended Update Support Red Hat Enterprise Linux 6.6 Extended Update Support Via RHSA-2016:0305 https://rhn.redhat.com/errata/RHSA-2016-0305.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0301 https://rhn.redhat.com/errata/RHSA-2016-0301.html It looks like sslv2 has finally being reenabled to break (near all) reverse deps: http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/commit/?id=8f6be98bf7b9e9015ad035f34b8414e82c7b68ca We are facing the same problem in Gentoo... but we have important worries about re-enabling sslv2 support in openssl as it looks it could still cause security risks :/ https://bugs.gentoo.org/show_bug.cgi?id=576128 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0372 https://rhn.redhat.com/errata/RHSA-2016-0372.html This issue has been addressed in the following products: RHEV-H and Agents for RHEL-6 RHEV-H and Agents for RHEL-7 Via RHSA-2016:0379 https://rhn.redhat.com/errata/RHSA-2016-0379.html This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2016:0445 https://rhn.redhat.com/errata/RHSA-2016-0445.html This issue has been addressed in the following products: JBoss Web Server 3.0.2 Via RHSA-2016:0446 https://rhn.redhat.com/errata/RHSA-2016-0446.html openssl101e-1.0.1e-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4.6 Via RHSA-2016:0490 https://rhn.redhat.com/errata/RHSA-2016-0490.html This issue has been addressed in the following products: JBoss Operations Network 3.3.6 Via RHSA-2016:1519 https://rhn.redhat.com/errata/RHSA-2016-1519.html |