The following was reported by OpenSSL upstream: During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.
Created attachment 1045431 [details] Main patch
Created attachment 1045432 [details] Followup patch 1
Created attachment 1045433 [details] Followup patch 2
Statement: Not vulnerable. This issue does not affect any version of the OpenSSL package as shipped with Red Hat Enterprise Linux 4, 5, 6 and 7, JBoss Enterprise Application Platform 6, Red Hat JBoss Enterprise Web Server 1 and 2, and Red Hat JBoss Web Server 3 because they did not include support for alternative certificate chains.
Acknowledgements: Red Hat would like to thank OpenSSL upstream for reporting this issue. Upstream acknowledges Adam Langley of Google and David Benjamin of BoringSSL as the original reporters.
External References: http://openssl.org/news/secadv_20150709.txt
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1241544]
FeedHenry advisory covering impact on multi-tenant SaaS offerings: http://feedhenrystatus.com/2015/07/09/security-advisory-cve-2015-1793/
Note, for clarity, the first affected upstream versions 1.0.1n and 1.0.2b were released on June 11th 2015.
Upstream commits in 1.0.1 branch: Main patch: http://git.openssl.org/?p=openssl.git;a=commitdiff;h=9a0db453ba017ebcaccbee933ee6511a9ae4d1c8 Test case: http://git.openssl.org/?p=openssl.git;a=commitdiff;h=d42d1004332f40c1098946b0804791fd3da3e378 Follow-up patches: http://git.openssl.org/?p=openssl.git;a=commitdiff;h=b3b1eb5735c5b3d566a9fc3bf745bf716a29afa0 http://git.openssl.org/?p=openssl.git;a=commitdiff;h=cb22d2ae5a5b6069dbf66dbcce07223ac15a16de Alternate chains handling, and hence this vulnerability, was introduced to 1.0.1 branch via the following commit: http://git.openssl.org/?p=openssl.git;a=commitdiff;h=f7bf8e02dfcb2c02bc12a59276d0a3ba43e6c204 Related upstream bug reports: https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest https://rt.openssl.org/Ticket/Display.html?id=3637&user=guest&pass=guest
Current Fedora versions are affected, as the alternative chain handling code was backported to F21 and F22: http://pkgs.fedoraproject.org/cgit/openssl.git/commit/?id=fc6854bd38f0a020118914e09bb7ef00964a9435 https://bugzilla.redhat.com/show_bug.cgi?id=1166614