Hide Forgot
Quoting form the draft of the OpenSSL upstream advisory: OCSP Status Request extension unbounded memory growth (CVE-2016-6304) ===================================================================== Severity: High A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time option are not affected. OpenSSL 1.1.0 users should upgrade to 1.1.0a OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL development team.
Acknowledgments: Name: the OpenSSL project Upstream: Shi Lei (Gear Team of Qihoo 360 Inc.)
Created attachment 1202766 [details] OpenSSL upstream fix
Created attachment 1202768 [details] OpenSSL upstream fix for 1.1.0
This flaw is in the code that handles status_request TLS extension (RFC 4366, RFC 6066). The support for this extension was introduced upstream in version 0.9.8h, therefore openssl packages in Red Hat Enterprise Linux 5 and earlier were not affected as they did not include the affected code.
(In reply to Tomas Hoger from comment #0) > Servers with a default configuration are vulnerable even if they do > not support OCSP. This statement does not apply to older OpenSSL versions. Previously, parsing of status_request TLS extension only happened if application using OpenSSL provided tlsext_status_cb callback function. The behaviour changed in response to this upstream bug report: https://rt.openssl.org/Ticket/Display.html?id=3178&user=guest&pass=guest https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb85ee9a8867b605cd7fb427869d0e50caa80a3f In 1.0.1 branch, this change was introduced in version 1.0.1g. The openssl packages in Red Hat Enterprise Linux 6 and 7 are based on upstream version 1.0.1e and require callback to be set to perform status_request extension parsing. Therefore, this flaw can only be triggered for applications that explicitly enable OCSP stapling support. That functionality does not seem to be widely used in server applications using OpenSSL. Web servers as httpd (2.4) and nginx allow users to enable stapling support, but don't do that by default: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslusestapling http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
Created attachment 1203520 [details] Updated OpenSSL upstream fix
Public now via upstream advisory. Upstream commit: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=2c0d295e26306e15a92eb23a84a1802005c1c137 External Reference: https://www.openssl.org/news/secadv/20160922.txt
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1378409]
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1378408]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1378410] Affects: epel-7 [bug 1378411]
Reporter's vulnerability page, including vulnerability logo: http://security.360.cn/cve/CVE-2016-6304/
Statement: TLS server applications using OpenSSL versions in Red Hat Enterprise Linux 6 and 7 are only affected if they enable OCSP stapling support. Applications not enabling OCSP stapling support are not affected. Few applications implement OCSP stapling support and typically do not enable it by default.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.2 Advanced Update Support Red Hat Enterprise Linux 6.4 Advanced Update Support Red Hat Enterprise Linux 6.5 Advanced Update Support Red Hat Enterprise Linux 6.5 Telco Extended Update Support Red Hat Enterprise Linux 6.6 Advanced Update Support Red Hat Enterprise Linux 6.6 Telco Extended Update Support Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2016:2802 https://rhn.redhat.com/errata/RHSA-2016-2802.html
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2017:1415 https://access.redhat.com/errata/RHSA-2017:1415
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2017:1414 https://access.redhat.com/errata/RHSA-2017:1414
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2017:1413 https://access.redhat.com/errata/RHSA-2017:1413
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:1659 https://access.redhat.com/errata/RHSA-2017:1659
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1658 https://access.redhat.com/errata/RHSA-2017:1658
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 Via RHSA-2017:2494 https://access.redhat.com/errata/RHSA-2017:2494
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2017:2493 https://access.redhat.com/errata/RHSA-2017:2493