Bug 1377600 (CVE-2016-6304)
| Summary: | CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | high | ||||||||||
| Version: | unspecified | CC: | apmukher, bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dosoudil, erik-fedora, gzaronik, hasuzuki, helge+fedora, huwang, jaeshin, jawilson, jclere, kfujii, krathod, ktietz, lgao, marcandre.lureau, mbabacek, mturk, myarboro, pete.philips, pgier, psakar, pslavice, redhat-bugzilla, rjones, rnetuka, rsvoboda, sardella, security-response-team, slawomir, szidek, tmraz, twalsh, unixi, vchepkov, vtunka, weli, yozone | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | openssl 1.0.1u, openssl 1.0.2i, openssl 1.1.0a | Doc Type: | If docs needed, set a value | ||||||||
| Doc Text: |
A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support.
|
Story Points: | --- | ||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2019-06-08 02:58:55 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | 1377623, 1377624, 1377625, 1377626, 1378408, 1378409, 1378410, 1378411, 1381558, 1381559, 1381560, 1389394, 1389395, 1389396, 1389397, 1389398, 1429941 | ||||||||||
| Bug Blocks: | 1367347, 1446026, 1457678, 1461790, 1479475 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Tomas Hoger
2016-09-20 08:10:27 UTC
Acknowledgments: Name: the OpenSSL project Upstream: Shi Lei (Gear Team of Qihoo 360 Inc.) Created attachment 1202766 [details]
OpenSSL upstream fix
Created attachment 1202768 [details]
OpenSSL upstream fix for 1.1.0
This flaw is in the code that handles status_request TLS extension (RFC 4366, RFC 6066). The support for this extension was introduced upstream in version 0.9.8h, therefore openssl packages in Red Hat Enterprise Linux 5 and earlier were not affected as they did not include the affected code. (In reply to Tomas Hoger from comment #0) > Servers with a default configuration are vulnerable even if they do > not support OCSP. This statement does not apply to older OpenSSL versions. Previously, parsing of status_request TLS extension only happened if application using OpenSSL provided tlsext_status_cb callback function. The behaviour changed in response to this upstream bug report: https://rt.openssl.org/Ticket/Display.html?id=3178&user=guest&pass=guest https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb85ee9a8867b605cd7fb427869d0e50caa80a3f In 1.0.1 branch, this change was introduced in version 1.0.1g. The openssl packages in Red Hat Enterprise Linux 6 and 7 are based on upstream version 1.0.1e and require callback to be set to perform status_request extension parsing. Therefore, this flaw can only be triggered for applications that explicitly enable OCSP stapling support. That functionality does not seem to be widely used in server applications using OpenSSL. Web servers as httpd (2.4) and nginx allow users to enable stapling support, but don't do that by default: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslusestapling http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Created attachment 1203520 [details]
Updated OpenSSL upstream fix
Public now via upstream advisory. Upstream commit: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=2c0d295e26306e15a92eb23a84a1802005c1c137 External Reference: https://www.openssl.org/news/secadv/20160922.txt Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1378409] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1378408] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1378410] Affects: epel-7 [bug 1378411] Reporter's vulnerability page, including vulnerability logo: http://security.360.cn/cve/CVE-2016-6304/ Statement: TLS server applications using OpenSSL versions in Red Hat Enterprise Linux 6 and 7 are only affected if they enable OCSP stapling support. Applications not enabling OCSP stapling support are not affected. Few applications implement OCSP stapling support and typically do not enable it by default. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6.2 Advanced Update Support Red Hat Enterprise Linux 6.4 Advanced Update Support Red Hat Enterprise Linux 6.5 Advanced Update Support Red Hat Enterprise Linux 6.5 Telco Extended Update Support Red Hat Enterprise Linux 6.6 Advanced Update Support Red Hat Enterprise Linux 6.6 Telco Extended Update Support Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2016:2802 https://rhn.redhat.com/errata/RHSA-2016-2802.html This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2017:1415 https://access.redhat.com/errata/RHSA-2017:1415 This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2017:1414 https://access.redhat.com/errata/RHSA-2017:1414 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2017:1413 https://access.redhat.com/errata/RHSA-2017:1413 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:1659 https://access.redhat.com/errata/RHSA-2017:1659 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1658 https://access.redhat.com/errata/RHSA-2017:1658 This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 Via RHSA-2017:2494 https://access.redhat.com/errata/RHSA-2017:2494 This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2017:2493 https://access.redhat.com/errata/RHSA-2017:2493 |