Bug 1180184 (CVE-2015-0204, FREAK) - CVE-2015-0204 openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)
Summary: CVE-2015-0204 openssl: only allow ephemeral RSA keys in export ciphersuites (...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-0204, FREAK
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150106,repor...
Depends On: 1180189 1181014 1181015 1181016 1181017 1181018 1182870 1182871 1182872 1202953 1293298
Blocks: 1180194 1192260 1192263 1212496
TreeView+ depends on / blocked
 
Reported: 2015-01-08 15:14 UTC by Vasyl Kaigorodov
Modified: 2019-06-11 11:13 UTC (History)
36 users (show)

Fixed In Version: OpenSSL 1.0.1k, OpenSSL 1.0.0p, OpenSSL 0.9.8zd
Doc Type: Bug Fix
Doc Text:
It was discovered that OpenSSL would accept ephemeral RSA keys when using non-export RSA cipher suites. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:37:35 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0066 normal SHIPPED_LIVE Moderate: openssl security update 2015-01-22 02:28:18 UTC
Red Hat Product Errata RHSA-2015:0800 normal SHIPPED_LIVE Moderate: openssl security update 2015-04-13 15:54:05 UTC
Red Hat Product Errata RHSA-2015:0849 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 19:39:06 UTC
Red Hat Product Errata RHSA-2016:1650 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.1 security update 2016-08-22 22:07:23 UTC

Description Vasyl Kaigorodov 2015-01-08 15:14:13 UTC
New release of OpenSSL [1] fixes the following issue:

OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.

Upstream patches:
- master: https://github.com/openssl/openssl/commit/ce325c60c74b0fa784f5872404b722e120e5cab0
- 0.9.8: https://github.com/openssl/openssl/commit/72f181539118828ca966a0f8d03f6428e2bcf0d6
- 1.0.1: https://github.com/openssl/openssl/commit/37580f43b5a39f5f4e920d17273fab9713d3a744

[1]: https://www.openssl.org/news/changelog.html

Comment 1 Vasyl Kaigorodov 2015-01-08 15:22:15 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1180189]

Comment 5 Huzaifa S. Sidhpurwala 2015-01-16 04:08:29 UTC
Statement:

This issue affects versions of openssl as shipped with Red Hat Enterprise Linux 5, 6 and 7. Errata have been released to correct this issue.

This issue affects the version of openssl098e as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact and does not plan to address this flaw for the openssl098e component in any future security updates.

This issue affects the version of openssl097a as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 7 errata-xmlrpc 2015-01-21 21:28:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2015:0066 https://rhn.redhat.com/errata/RHSA-2015-0066.html

Comment 10 Huzaifa S. Sidhpurwala 2015-03-04 10:44:28 UTC
Red Hat Product Security team initially classified this as having low security impact, but after more details about the issue and the possible attack scenarios become clear, we re-classified as moderate impact security issue.

Comment 11 Tomas Hoger 2015-03-04 11:59:34 UTC
This issue got dubbed FREAK (Factoring RSA Export Keys).  Further details can be found in:

https://www.smacktls.com/#freak
http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html

Comment 12 Matt Wilkinson 2015-03-04 15:31:07 UTC
Is there going to be a patch for RHEL 5? It looks like there are fixes for this in RHEL 6 and 7 but not yet for RHEL 5, at least not that I can find.

Comment 13 Robert Scheck 2015-03-05 16:49:17 UTC
Huzaifa, are there still no plans for an update for RHEL 5 even this has been
re-classified meanwhile?

Comment 14 Matt Goldman 2015-03-05 17:06:31 UTC
Matt, Robert:

RHEL 5 has entered Production Phase 3 as of January 31, 2014. As per our errata policy:
    
    "During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available."
    Red Hat Enterprise Linux Life Cycle
    https://access.redhat.com/support/policy/updates/errata#Production_3_Phase

This means that Red Hat will not be addressing Low, Moderate, or High impact CVE's in relation to RHEL 5.

Comment 15 john.haxby@oracle.com 2015-03-05 17:17:55 UTC
I have some sympathy with comment #14.  This is not a serious problem and all the screaming in the popular press (just search google for "openssl freak") doesn't make it serious either.  Mind you, some of the popular press makes it sound like armageddon all over again.

Comment 16 errata-xmlrpc 2015-04-13 11:54:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:0800 https://rhn.redhat.com/errata/RHSA-2015-0800.html

Comment 17 Robert Scheck 2015-04-13 13:12:27 UTC
May somebody explain how comment #16 works together with comment #14, please?

Comment 18 Ján Rusnačko 2015-04-13 13:26:09 UTC
(In reply to Robert Scheck from comment #17)
> May somebody explain how comment #16 works together with comment #14, please?
Please read the statement in comment 5, it is updated and should explain the current status.

Comment 22 Tomas Hoger 2015-04-15 15:07:09 UTC
This issue is now listed as fixed in Oracle Java SE 5.0u85 and 6u95:

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA

According to the release notes:

http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#bugfixes-6u95

  Area: security-libs/javax.net.ssl
  Synopsis: The EXPORT suites have been removed from the default enabled
  ciphersuite list.

  The EXPORT strength ciphersuites (such as SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
  SSL_RSA_EXPORT_WITH_RC4_40_MD5) were recently shown as too weak to be
  practically used in secure communications. They are no longer enabled by
  default.

  See 8074458 (not public).

the actual change is removal of EXPORT cipher suites form the set of cipher suites enabled by default.  Hence CVE-2015-0204 is incorrectly used for Oracle JDK, as there's following noted use as part of the CVE-2015-0204 description:

  NOTE: the scope of this CVE is only client code based on OpenSSL, not
  EXPORT_RSA issues associated with servers or other TLS implementations.

Comment 23 errata-xmlrpc 2015-04-16 15:39:18 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.0

Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html

Comment 29 errata-xmlrpc 2016-08-22 18:08:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 2.1.1

Via RHSA-2016:1650 https://rhn.redhat.com/errata/RHSA-2016-1650.html


Note You need to log in before you can comment on or make changes to this bug.