Skip to main content

Lastest Vulnerbilities

Recently Openssl team released some bugs which affects the Openssl packages on the Linux servers and REDHAT community marked this vulnerabilities as HIGH level of bugs. CVE number associated with bugs are CVE-2016-2107 and CVE-2016-2108.

Small description for both CVE is as below




   How to check whether your server is affected for this bugs or not  

Option I :- 

1) Login to your server by putty and run below command

    i) [root@myhost ~]# rpm -qa --changelog openssl | grep CVE-2016-2108
    ii) [root@myhost ~]# rpm -qa --changelog openssl | grep CVE-2016-2107

After running the command you would get something like below if you are server are not affected by the bug.

 [root@myhost ~]# rpm -qa --changelog openssl | grep CVE-2016-2108
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder


And 

[root@myhost ~]# rpm -qa --changelog openssl | grep CVE-2016-2107
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC


Its means REDHAT had back-ported the fixes for the openssl packages on server and you do not need to worry about the bugs anymore, just get some coffee or beer whatever you prefer an enjoy your drink :) 

But after running the command if there is no output on your screen then you need to keep that cup of coffee or Beer aside, and need to look at the solution for it.

Option II :-

Run the command as below and if its output matches that with the version present in below image then your server is affected with the openssl bugs which we are discussing here.

 [root@myhost ~]# rpm -qa openssl
   
Solutions :   

1) You need to update the openssl version on your server either by below methods

                  i) Install the new openssl version by YUM.
                  ii) Install the new openssl version by RPM.
                  iii) Install the new openssl version by SOURCE code. 

2) Its recommeded to restart the services which openssl binaries are using on the server after you have done with installation of new version.

But how to find out which services on my server is using openssl binaries , answer is simple ,just run below command and you will get the list of services.


[root@myhost ~]# lsof | grep 'DEL.*lib' | cut -f 1 -d ' ' | sort -u

Now you have list, make sure to restart these services once you install new Openssl version.

3) But it also recommended some time , that you reboot the server on which you just had install newer version to refresh all new openssl binaries to being available for all the services.

but it totally depends on you and how much downtime you would allow for your website/services by rebooting the services. Else for minimal downtime, just restart the services.

If you do not know how to do these OR have less time OR simply Do not want to do this yourself,contact me
I will do it for you :)

Comments

Popular posts from this blog

Solution and Step to fix CVE-2019-5736 Vulnerability - Docker

Recently a new vulnerability has been discovered in the the internet market having target to Docker services. What is this Vulnerability: In short, Docker service uses another service called as runc which is container run time to spawn and run containers. which simply means if docker task is to create docker images then runc task would be running them and attaching a process to container. So as per the recent discovery by the maintainers of runc, the code of this service was having some bug which can be used by attackers to gain the root level of access of the host machine on which docker containers are running. How it can be Exploited: This vulnerability can be exploited in two ways (1) if the docker images are in use is vulnerable making the containers build from it vulnerable also (2) if somehow attacker got the access of containers and then trying to exploit using the bug present in runc and trying to get root privileges. Solution to Fix Vulnerability: Ce

How to Generate CSR using Openssl in Linux

Before Generating CSR ,let see what is Openssl. It is nothing but a core library ,which is used for general purpose in cryptography,it is an open source product which work towards the implementation of SSL and TLS protocols. Talking about openssl, some people called the certificates generated from openssl as "self signed certificate". lets go towards now,creating CSR and private key using openssl command, Just log in to any of your Linux box and run following command as  root user  replacing the required information as per your need . [root@SVR home]#   openssl req -new -newkey  rsa:2048 -nodes -sha256 -out domain_name.csr -keyout domain_name.key -subj "/C=US/ST=state/L=locality/O=organization/OU=organization unit Dept/CN=www.domain.com"  You will get output like : Then check whether ,all the information we have entered ,while creating CSR is proper ,by decoding the CSR from some online tool. First do the cat to the csr file [root@SVR home]#  cat

Multiple instances of redis

In the last post I have covered how to install redis server on Centos/Rhel using rpm method and yum method and some troubleshooting skills. In this post i am going to cover how to install and configure redis to run with multiple ports.                                                                           But why we need more ports ? If you have read my earlier post , you already know that by default redis runs on single port 6379, which any one can use it for small website to cache the data. But for heavy website like magento we need to use additional ports along with 6379 to serve different cache from different ports. Like in Magento there is simple cache which is normally stored under /var/cache directory. Then there is Full Page Cache which is stored under /var/full_page_cache and session cache which is stored under /var/session_cache. Note : Discussion about cache/full page cache/session is not under the scope for this document.