Bug 1377594 (CVE-2016-6306)

Summary: CVE-2016-6306 openssl: certificate message OOB reads
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apmukher, bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dosoudil, erik-fedora, gzaronik, hkario, huwang, jaeshin, jawilson, jclere, karlo.luiten+bugzilla, ktietz, lgao, marcandre.lureau, mbabacek, mturk, myarboro, pgier, psakar, pslavice, redhat-bugzilla, rjones, rnetuka, rsvoboda, sardella, security-response-team, slawomir, tmraz, twalsh, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.0.1u, openssl 1.0.2i Doc Type: If docs needed, set a value
Doc Text:
Multiple out of bounds read flaws were found in the way OpenSSL handled certain TLS/SSL protocol handshake messages. A remote attacker could possibly use these flaws to crash a TLS/SSL server or client using OpenSSL.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:58:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1377623, 1377624, 1377625, 1377626, 1378408, 1378409, 1378410, 1378411, 1381817, 1381818    
Bug Blocks: 1367347    
Attachments:
Description Flags
OpenSSL upstream fix none

Description Tomas Hoger 2016-09-20 07:51:51 UTC
Quoting form the draft of the OpenSSL upstream advisory:

Certificate message OOB reads (CVE-2016-6306)
=============================================

Severity: Low

In OpenSSL 1.0.2 and earlier some missing message length checks can result in
OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical
DoS risk but this has not been observed in practice on common platforms.

The messages affected are client certificate, client certificate request and
server certificate. As a result the attack can only be performed against
a client or a server which enables client authentication.

OpenSSL 1.1.0 is not affected.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 22nd August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.

Comment 1 Tomas Hoger 2016-09-20 07:51:57 UTC
Acknowledgments:

Name: the OpenSSL project
Upstream: Shi Lei (Gear Team of Qihoo 360 Inc.)

Comment 2 Tomas Hoger 2016-09-20 08:01:52 UTC
Created attachment 1202764 [details]
OpenSSL upstream fix

Comment 5 Tomas Hoger 2016-09-21 21:41:13 UTC
Additional follow-up patch to avoid protection against similar short over reads:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=bb1a4866034255749ac578adb06a76335fc117b1

Similar change was part of the patch attached in comment 2, but was extended to cover both TLS/SSL and DTLS.

Comment 6 Tomas Hoger 2016-09-22 10:58:53 UTC
Public now via upstream advisory.

External Reference:

https://www.openssl.org/news/secadv/20160922.txt

Comment 7 Tomas Hoger 2016-09-22 11:03:34 UTC
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1378409]

Comment 8 Tomas Hoger 2016-09-22 11:03:41 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1378408]

Comment 9 Tomas Hoger 2016-09-22 11:03:47 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1378410]
Affects: epel-7 [bug 1378411]

Comment 10 errata-xmlrpc 2016-09-27 13:55:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html

Comment 13 errata-xmlrpc 2018-07-12 16:04:56 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187

Comment 14 errata-xmlrpc 2018-07-12 16:14:35 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186

Comment 15 errata-xmlrpc 2018-07-12 16:16:38 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185