Symptoms

Provider production store got F rating from www.ssllabs.com/ssltest/ with the following comment:

This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.

openssl package version on Store node:

openssl.i686 1.0.1e-42.el6 
openssl.x86_64 1.0.1e-42.el6

Package update is available:

# yum check-update openssl
openssl.i686 1.0.1e-48.el6_8.1
openssl.x86_64 1.0.1e-48.el6_8.1

Cause

CVE-2016-2107 is fixed in openssl-1.0.1e-48.el6_8.1.x86_64 package:

# rpm -q --changelog openssl-1.0.1e-48.el6_8.1.x86_64 | egrep -i "(CVE-2016-2107|CVE-2016-2108)"
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder

# rpm -q --changelog openssl-1.0.1e-48.el6_8.1.i686 | egrep -i "(CVE-2016-2107|CVE-2016-2108)"
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder

Resolution

Update openssl package up to openssl-1.0.1e-48.el6_8.1.x86_64 version.

External references

CVE-2016-2107 on Red Hat Bugzilla

Internal content

Link on internal Article