Lastest Vulnerbilities

Recently Openssl team released some bugs which affects the openssl packages on the Linux servers and REDHAT community marked this vulnerabilities as HIGH level of bugs.CVE number associated with bugs are CVE-2016-2107 and CVE-2016-2108.

Small description for both CVE is as below




   How to check whether your server is affected for this bugs or not  

Option I :- 

1) Login to your server by putty and run below command

    i) [root@myhost ~]# rpm -qa --changelog openssl | grep CVE-2016-2108
    ii) [root@myhost ~]# rpm -qa --changelog openssl | grep CVE-2016-2107

After running the command you would get something like below if you are server are not affected by the bug.

 [root@myhost ~]# rpm -qa --changelog openssl | grep CVE-2016-2108
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder


And 

[root@myhost ~]# rpm -qa --changelog openssl | grep CVE-2016-2107
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC


Its means REDHAT had back-ported the fixes for the openssl packages on server and you do not need to worry about the bugs anymore, just get some coffee or beer whatever you prefer an enjoy your drink :) 

But after running the command if there is no output on your screen then you need to keep that cup of coffee or Beer aside, and need to look at the solution for it.

Option II :-

Run the command as below and if its output matches that with the version present in below image then your server is affected with the openssl bugs which we are discussing here.

 [root@myhost ~]# rpm -qa openssl
   
Solutions :   

1) You need to update the openssl version on your server either by below methods

                  i) Install the new openssl version by YUM.
                  ii) Install the new openssl version by RPM.
                  iii) Install the new openssl version by SOURCE code. 

2) Its recommeded to restart the services which openssl binaries are using on the server after you have done with installation of new version.

But how to find out which services on my server is using openssl binaries , answer is simple ,just run below command and you will get the list of services.


[root@myhost ~]# lsof | grep 'DEL.*lib' | cut -f 1 -d ' ' | sort -u

Now you have list, make sure to restart these services once you install new openssl version.

3) But it also recommended some time , that you reboot the server on which you just had install newer version to refresh all new openssl binaries to being available for all the services.

but it totally depends on you and how much downtime you would allow for your website/services by rebooting the services.

Else for minimal downtime, just restart the services.

If you do not know how to do these OR have less time OR simply Dont want to do this yourself,contact me
I will do it for you :)


No comments:

Post a Comment