If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k External References: https://www.openssl.org/news/secadv/20170126.txt
Upstream commits: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=2198b3a55de681e1f3c23edb0586afe13f438051 https://git.openssl.org/?p=openssl.git;a=commitdiff;h=8e20499629b6bcf868d0072c7011e590b5c2294d
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1416866]
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1416864]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1416865] Affects: epel-7 [bug 1416867]
Also note that for 1.0.1e the upstream fix is insufficient - the check for return value from EVP_CTRL_AEAD_TLS1_AAD has to be added in t1_enc.c.
(In reply to Tomas Mraz from comment #9) > Also note that for 1.0.1e the upstream fix is insufficient - the check for > return value from EVP_CTRL_AEAD_TLS1_AAD has to be added in t1_enc.c. This was added upstream as part of this commit: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=1a3701f4fe0530a40ec073cd78d02cfcc26c0f8e#patch7
The root cause here is integer underflow, which leads to out of bounds read, possibly resulting in crash. Upstream advisory lists the following affected use cases: - When CHACHA20/POLY1305 cipher suites are used. Those are not supported by openssl packages as shipped with current versions of Red Hat products. - When RC4-MD5 cipher suite is used. This cipher is supported and enabled by default. Problem can be mitigated by disabling this cipher in configuration of an application using OpenSSL (if the application allows that).
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:0286 https://rhn.redhat.com/errata/RHSA-2017-0286.html
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185