Bug 907589 (CVE-2013-0169, Lucky13)
| Summary: | CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | 2ade7ea4, alegrand, aneelica, anpicker, bmontgom, collura, djorm, emaldona, eparis, erik-fedora, erooth, jason.greene, jburrell, jclere, jlieskov, jokerman, jorton, kakkoyun, kdudka, kengert, ktietz, langel, lcosic, lfarkas, lgao, lnovy, mads, mloibl, nstielau, oget.fedora, pkrupa, rjones, sgehwolf, shughes, sponnaga, steve.traylen, surbania, tmraz, weli, withoutrefuge, yoguma |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openssl 1.0.1d, openssl 1.0.0k, openssl 0.9.8y, polarssl 1.2.5, icedtea6 1.11.8, icedtea6 1.12.3, icedtea7 2.1.6, icedtea7 2.2.6, icedtea7 2.3.7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-07-03 18:06:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 907982, 911051, 911052, 911061, 911063, 919303, 919304, 920868, 920869, 1844242, 1858198 | ||
| Bug Blocks: | 906729, 907592, 920007, 954223, 959037, 1841016 | ||
|
Description
Vincent Danen
2013-02-04 19:16:50 UTC
GnuTLS advisory GNUTLS-SA-2013-1: http://www.gnutls.org/security.html#GNUTLS-SA-2013-1 GnuTLS fix: 2.12.x: https://gitorious.org/gnutls/gnutls/commit/458c67cf98740e7b12404f6c30e0d5317d56fd30 https://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9123630704668b2946f602b910e 3.0.x: https://gitorious.org/gnutls/gnutls/commit/8dc2822966f64dd9cf7dde9c7aacd80d49d3ffe5 3.2.x / master: https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0 Additional references: http://arstechnica.com/security/2013/02/lucky-thirteen-attack-snarfs-cookies-protected-by-ssl-encryption http://www.imperialviolet.org/2013/02/04/luckythirteen.html Created polarssl tracking bugs for this issue Affects: fedora-all [bug 907982] This seems to be the polarssl fix: https://github.com/polarssl/polarssl/commit/4582999be608c9794d4518ae336b265084db9f93 https://github.com/polarssl/polarssl/commit/d66f070d492ef75405baad9f0d018b1bd06862c8 This is fixed in OpenSSL 1.0.1d, 1.0.0k, and 0.9.8y and referenced as CVE-2013-0169. What is unclear is whether or not this CVE is for the OpenSSL implementation or whether it is for all implementations (the question has been asked on oss-sec). OpenSSL advisory: http://www.openssl.org/news/secadv_20130205.txt Hi, the bouncycastle update is problematic. Namely, we are stuck with version 1.46 because the later version (1.47) comes with backward incompatible API changes. This affects the dependent libraries, in particular itext. Unfortunately we are also stuck with itext-2.1.7 because the next version series (itext-5.*) was vetoed by FE-Legal. Note that I do not maintain bouncycastle any more. I dropped my maintainership last August after an announcement in the Fedora-devel mailing list. To my knowledge no one picked it up yet, which makes me wonder why this bug CCd me. I can still provide some help though if you can supply a patch. If you provide a patch for bouncycastle-1.46 we can get around this problem. Mozilla has assigned CVE-2013-1620 for this issue affecting nss. References: Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=822365 Upstream is still working on the final patch. NSS upstream patch (still in the works): http://bonsai.mozilla.org/cvsquery.cgi?treeid=NSS&module=NSS&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=day&mindate=&maxdate=&cvsroot=%2Fcvsroot Here are the CVEs which have been assigned to this issue, affecting various products. SSL/TLS protocol / OpenSSL CVE-2013-0169 (this bug) Mozilla Network Security Services (NSS) CVE-2013-1620 (bug 908234) GnuTLS CVE-2013-1619 (bug 908238) PolarSSL three CVEs (see below) PolarSSL - TLS and DTLS protocol issue: CVE-2013-0169 (this bug) PolarSSL - out-of-bounds comparisons: CVE-2013-1621 (bug 908423) PolarSSL - lack of MAC check in some cases: CVE-2013-1622 (bug 908425) BouncyCastle CVE-2013-1624 (bug 908428) yaSSL CVE-2013-1623 (bug 908445) This bug is used for CVE-2013-0169 (In reply to comment #7) > Note that I do not maintain bouncycastle any more. I dropped my > maintainership last August after an announcement in the Fedora-devel mailing > list. To my knowledge no one picked it up yet, which makes me wonder why > this bug CCd me. Owners (and initial CC list members) of affected components are added to the CC list of security bugs by a script used to create these bugs. You got CCed here because bugzilla notes you as both owner and initial CC list member for component bouncycastle and product Fedora. OpenSSL fixes seems to be split across several commits: 0.9.8: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=270881316664396326c461ec7a124aec2c6cc081 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=35a65e814beb899fa1c69a7673a8956c6059dce7 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a33e6702a0db1b9f4648d247b8b28a5c0e42ca13 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2928cb4c82d6516d9e65ede4901a5957d8c39c32 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b3a959a337b8083bc855623f24cebaf43a477350 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=be88529753897c29c677d1becb321f0072c0659c http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=99f5093347c65eecbd05f0668aea94b32fcf20d7 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=24b28060975c01b749391778d13ec2ea1323a1aa http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=924b11742296c13816a9f301e76fea023003920c http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1909df070fb5c5b87246a2de19c17588deba5818 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=33ccde59a1ece0f68cc4b64e930001ab230725b1 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f9345a2f0b592457fc4a619ac98ea59ffd394ba http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=40e0de03955e218f45a7979cb46fba193f4e7fc2 1.0.0: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9c00a950604aca819cee977f1dcb4b45f2af3aa6 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e5420be6cd09af2550b128575a675490cfba0483 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f852b60797dc68aa86c99c4f7b905488d1538d99 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=080f39539295d2c7c932e79dd670526b90a215a8 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=610dfc3ef4c4019394534023115226f4ed0e7204 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b23da2919b332fd83fa6de87caacb0651f64a3f5 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3cdaca2436643908863c6a62918b0d9703477655 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=11c48a0fd20d2ec091fde218449f3ba0ff1cf672 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=33f44acbbe83ab718ae15c0d2c6a57e802705a36 It seems that there are some problems with openssl-1.0.1d (at least, perhaps also with the older branch releases). (In reply to comment #14) > It seems that there are some problems with openssl-1.0.1d (at least, perhaps > also with the older branch releases). OpenSSL 1.0.1e was released that corrects this regression: http://thread.gmane.org/gmane.comp.encryption.openssl.devel/22174 Related upstream ticket and commit: http://rt.openssl.org/Ticket/Display.html?id=2975&user=guest&pass=guest http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=32cc2479b473c49ce869e57fded7e9a77b695c0d Version also contains additional fixes or improvements related to this security fix: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f306b87d766e6ecf30824635c7c395b67cff9dbc http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=746c6f3a533b1eb50b909147b35fa1b0e5c61f59 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=47061af1062e36b87242810f7f5279ee7240b9e4 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=579f3a631ebeef5eb0135977640a835968d3ad6c This problem was addressed in Oracle Java SE 7u15, 6u41, 5.0u40 and 1.4.2_42: http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html OpenJDK upstream fix, as included in IcedTea7 repositories: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/2a879243603d This issue has been addressed in java-1.6.0-openjdk in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0273 https://rhn.redhat.com/errata/RHSA-2013-0273.html This issue has been addressed in java-1.6.0-openjdk in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0274 https://rhn.redhat.com/errata/RHSA-2013-0274.html This issue has been addressed in java-1.7.0-openjdk in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2013:0275 https://rhn.redhat.com/errata/RHSA-2013-0275.html This issue has been addressed in java-1.7.0-oracle in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2013:0532 https://rhn.redhat.com/errata/RHSA-2013-0532.html This issue has been addressed in java-1.6.0-sun in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0531 https://rhn.redhat.com/errata/RHSA-2013-0531.html Fixed in upstream IcedTea versions IcedTea6 1.11.8, and 1.12.3, and IcedTea7 2.1.6, 2.2.6, and 2.3.7: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021998.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/022040.html (In reply to comment #22) > OpenJDK upstream fix, as included in IcedTea7 repositories: > > http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/2a879243603d The same commit in upstream OpenJDK jdk7 repositories: http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/068448362d88 PolarSSL 1.2.5 with the fix(es) was already in rawhide. PolarSSL do apparently still not have any users in Fedora, so I guess I will take the easy solution and just push 1.2.5 to f17 and f18. This does not seem like a really important vulnerability. Can someone explain why so many people (mostly redhat) are working on this? Is this where redhat saves its resources for? Thanks! For those of us who support products which embed the vulnerable component, this is a vital vulnerability. Anything that is important to any of our customers is, by extension, important to us. Thank you for the explanation. I read (parts of) the paper, and from what I understand, a successful attack does not seem to be realistically probable. The paper itself regards this as "only a theoretical threat". I really do not think this is vital. Well, that's just me. The attention this bug received just made me curious. The fact that there are so many parts of Fedora that need more love and manpower made me question the rationale behind distributing the resources. Sorry if that sounded rude, that was not my intention. I'd agree that in case of Fedora this attack is of very low severity. On the other hand in case of Fedora it was resolved by simple upgrades of the affected packages to new upstream releases so I don't see any waste of resources here. openssl-1.0.1e-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. Are the fixes from the openssl packages still being backported to the Red Hat packages? Specifically, I'm looking for the fixed version of openssl-0.9.8e-22.el5_8.4. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0587 https://rhn.redhat.com/errata/RHSA-2013-0587.html openssl-1.0.0k-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Created mingw32-openssl tracking bugs for this issue Affects: epel-5 [bug 920869] Created mingw-openssl tracking bugs for this issue Affects: fedora-all [bug 920868] Created mingw32-openssl tracking bugs for this issue Affects: epel-5 [bug 920869] Created mingw-openssl tracking bugs for this issue Affects: fedora-all [bug 920868] This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2013:0636 https://rhn.redhat.com/errata/RHSA-2013-0636.html This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2013:0783 https://rhn.redhat.com/errata/RHSA-2013-0783.html This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2013:0782 https://rhn.redhat.com/errata/RHSA-2013-0782.html This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0823 https://rhn.redhat.com/errata/RHSA-2013-0823.html This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0822 https://rhn.redhat.com/errata/RHSA-2013-0822.html This issue has been addressed in following products: JBoss Enterprise Application Platform 6.1.0 Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0855 https://rhn.redhat.com/errata/RHSA-2013-0855.html This issue has been addressed in following products: Red Hat JBoss Web Server 2.0.1 Via RHSA-2013:1013 https://rhn.redhat.com/errata/RHSA-2013-1013.html This issue has been addressed in following products: Red Hat Network Satellite Server v 5.5 Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html This issue has been addressed in following products: RHEV Manager version 3.3 Via RHSA-2014:0416 https://rhn.redhat.com/errata/RHSA-2014-0416.html Mitigation: On OpenShift Container Platform 3.11 it's possible to edit the list of cipher suites offered by the router when performing 'edge', or 're-encrypt' TLS modes. Please follow the documentation [1], and [2] to remove the vulnerable CBC ciphers use the modern, or intermediate cipher suites outlined by Mozilla instead [3]. In 'passthrough' mode TLS termination occurs in the application so that is another way to mitigate the vulnerability. [1] https://docs.openshift.com/container-platform/3.11/install_config/router/customized_haproxy_router.html#obtaining-router-configuration-template [2] https://docs.openshift.com/container-platform/3.11/install_config/router/customized_haproxy_router.html#using-configmap-replace-template [3] https://wiki.mozilla.org/Security/Server_Side_TLS This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298 |