Skip to main content

Lastest Vulnerbilities

Recently Openssl team released some bugs which affects the Openssl packages on the Linux servers and REDHAT community marked this vulnerabilities as HIGH level of bugs. CVE number associated with bugs are CVE-2016-2107 and CVE-2016-2108.

Small description for both CVE is as below




   How to check whether your server is affected for this bugs or not  

Option I :- 

1) Login to your server by putty and run below command

    i) [root@myhost ~]# rpm -qa --changelog openssl | grep CVE-2016-2108
    ii) [root@myhost ~]# rpm -qa --changelog openssl | grep CVE-2016-2107

After running the command you would get something like below if you are server are not affected by the bug.

 [root@myhost ~]# rpm -qa --changelog openssl | grep CVE-2016-2108
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder


And 

[root@myhost ~]# rpm -qa --changelog openssl | grep CVE-2016-2107
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC


Its means REDHAT had back-ported the fixes for the openssl packages on server and you do not need to worry about the bugs anymore, just get some coffee or beer whatever you prefer an enjoy your drink :) 

But after running the command if there is no output on your screen then you need to keep that cup of coffee or Beer aside, and need to look at the solution for it.

Option II :-

Run the command as below and if its output matches that with the version present in below image then your server is affected with the openssl bugs which we are discussing here.

 [root@myhost ~]# rpm -qa openssl
   
Solutions :   

1) You need to update the openssl version on your server either by below methods

                  i) Install the new openssl version by YUM.
                  ii) Install the new openssl version by RPM.
                  iii) Install the new openssl version by SOURCE code. 

2) Its recommeded to restart the services which openssl binaries are using on the server after you have done with installation of new version.

But how to find out which services on my server is using openssl binaries , answer is simple ,just run below command and you will get the list of services.


[root@myhost ~]# lsof | grep 'DEL.*lib' | cut -f 1 -d ' ' | sort -u

Now you have list, make sure to restart these services once you install new Openssl version.

3) But it also recommended some time , that you reboot the server on which you just had install newer version to refresh all new openssl binaries to being available for all the services.

but it totally depends on you and how much downtime you would allow for your website/services by rebooting the services. Else for minimal downtime, just restart the services.

If you do not know how to do these OR have less time OR simply Do not want to do this yourself,contact me
I will do it for you :)

Comments

Popular posts from this blog

Multiple instances of redis

In the last post I have covered how to install redis server on Centos/Rhel using rpm method and yum method and some troubleshooting skills. In this post i am going to cover how to install and configure redis to run with multiple ports.                                                                           But why we need more ports ? If you have read my earlier post , you already know that by default redis runs on single port 6379, which any one can use it for small website to cache the data. But for heavy website like magento we need to use additional ports along with 6379 to serve different cache from different ports. Like in Magento there is simple cache which is normally stored under /var/cache directory. Then there is Full Page Cache which is stored under /var/full_page_cache...

arbtd: Package isn't signed with proper key

  If you are System Admin and worked on linux machine or servers in your current job or in past. Chances are you might come across linux service abrtd, even if you have not worked on it. but might be through some other work. same thing happened to me, while I was doing my regular work of installing php packages on linux  servers , i came across this error for which spent couple of hours actually to resolve it. T he error was 

Resolving IP SKU Requirements When Adding Azure VMs to Load Balancers

When it comes to configuring Azure Virtual Machines (VMs) within a Load Balancer (LB) environment, there are essential requirements that need to be addressed to ensure optimal performance and reliability. One common challenge faced by Azure users is the necessity of configuring IP SKUs correctly. In this blog post, we'll explore this requirement, its importance, and provide a solution to address it effectively. Understanding the IP SKU Requirement   The IP SKU (Service Key Update) requirement plays a pivotal role in the proper functioning of your Azure infrastructure, particularly within the context of Load Balancers. Here's what you need to know : IP Should Be in Standard SKU When adding Azure VMs to a Load Balancer, it's highly recommended to utilize public IP addresses configured with the Standard SKU. The Standard SKU offers an array of advanced capabilities, including enhanced traffic management and load balancing options. By using Standard SKU, you ensure a higher deg...