Symptoms
Provider production store got F rating from www.ssllabs.com/ssltest/ with the following comment:
This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.
openssl
package version on Store node:
openssl.i686 1.0.1e-42.el6
openssl.x86_64 1.0.1e-42.el6
Package update is available:
# yum check-update openssl
openssl.i686 1.0.1e-48.el6_8.1
openssl.x86_64 1.0.1e-48.el6_8.1
Cause
CVE-2016-2107 is fixed in openssl-1.0.1e-48.el6_8.1.x86_64
package:
# rpm -q --changelog openssl-1.0.1e-48.el6_8.1.x86_64 | egrep -i "(CVE-2016-2107|CVE-2016-2108)"
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
# rpm -q --changelog openssl-1.0.1e-48.el6_8.1.i686 | egrep -i "(CVE-2016-2107|CVE-2016-2108)"
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
Resolution
Update openssl
package up to openssl-1.0.1e-48.el6_8.1.x86_64
version.
External references
CVE-2016-2107 on Red Hat Bugzilla