[El-errata] New openssl updates available via Ksplice (ELSA-2016-1940)

Thu Sep 29 05:49:30 PDT 2016

Synopsis: ELSA-2016-1940 can now be patched using Ksplice
CVEs: CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180 CVE-2016-2181 CVE-2016-2182 CVE-2016-2183 CVE-2016-6302 CVE-2016-6304 CVE-2016-6306

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2016-1940.

INSTALLING THE UPDATES

We recommend that all users of Ksplice on OL 6 install these updates.

You can install these updates by running:

# ksplice -y user upgrade

32-bit applications should be restarted after upgrading the on-disk
openssl RPMs and statically linked applications using
openssl should be rebuilt to include these fixes.

Ksplice user-space patching requires installation of Ksplice-aware
packages and the system must be rebooted after the first installation of
these packages.  Refer to the installation instructions for the Enhanced
Ksplice Client in the Ksplice User's Guide for more details.  Systems
may be prepared for Ksplice patching by installing the Ksplice aware
packages in advance, prior to installing the enhanced Ksplice client.

DESCRIPTION

* CVE-2016-2177: Integer overflow during SSLv3 handshake.

Incorrect validation of buffer boundaries could lead to an integer overflow
and potential crash.  A remote attacker could use this flaw to cause a
denial-of-service or potentially get remote code execution.

* CVE-2016-2178: Side-channel attack on DSA signing algorithm.

The DSA signing algorithm was not configured to run in constant time,
leaving an opportunity for a cache-timing side channel attack.  A local
attacker could use this flaw to recover a private DSA key.

* CVE-2016-2179: Remote denial-of-service in DTLS.

Improper resource management when queueing out-of-order and fragmented DTLS
packets for later re-assembly could take up too much memory.  A remote
attacker could use this flaw to exhaust the memory on the server by opening
multiple connections to cause a denial-of-service.

* CVE-2016-2180: Out-of-bounds read in the Time Stamp Protocol.

A logic error could lead to an out-of-bounds stack read in the Time Stamp
Protocol (TSP).  An attacker could use this flaw to cause an application
linked with openssl to crash when parsing specially crafted time-stamp
files.

* CVE-2016-2181: Remote denial-of-service in DTLS replay protection.

DTLS replay protection can be leveraged by a remote attacker to cause all
subsequent legitimate packets to be dropped, leading to a
denial-of-service.

* CVE-2016-2182: Denial-of-service when parsing a certificate.

Missing bounds checking and error checking when converting a number to a
string could lead to an out-of-bounds memory write on the heap and
application crash.  An attacker could use a specially crafted certificate
to cause a denial-of-service.

* CVE-2016-6302: Denial-of-service when processing TLS tickets.

Incorrect input validation when processing TLS tickets could result in an
out-of-bounds read, potentially leading to a crash.  A remote attacker
could use this flaw to cause a denial-of-service.

* CVE-2016-6304: Denial-of-service when processing OCSP status requests.

Unbounded memory growth in the Online Certificate Status Protocol (OCSP)
status request handling could lead to memory exhaustion and
denial-of-service.  A remote attacker could use this flaw to cause a
denial-of-service.

* CVE-2016-6306: Out-of-bounds read when retrieving the certificate.

Missing bound checks before reading from memory could lead to an
out-of-bounds read of three bytes, theoretically potentially causing a
denial-of-service.  A remote attacker could use this flaw to cause a
denial-of-service.

* Lower priority of DES cipher suites to mitigate CVE-2016-2183.

Block cipher using a 64 bits block size are vulnerable to a practical
collision attack named birthday attack.  A remote attacker could use this
flaw to extract plain text of the encrypted data.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.