Red Hat Security Advisory: openssl security update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2012:1306 Final 1 1 2012-09-24T15:52:00Z Current version 2012-09-24T15:52:00Z 2012-09-24T15:52:00Z Red Hat rhsa-to-cvrf 1.0.1484 2012-09-24T16:04:01Z An update for the OpenSSL component for JBoss Enterprise Web Server 1.0.2 for Solaris and Microsoft Windows that fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code. (CVE-2012-2110) A double free flaw was discovered in the policy checking code in OpenSSL. A remote attacker could use this flaw to crash an application that uses OpenSSL by providing an X.509 certificate that has specially-crafted policy extension data. (CVE-2011-4109) An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. (CVE-2011-4576) It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. (CVE-2011-4619) This update also fixes additional security issues in OpenSSL that are not exposed in JBoss Enterprise Web Server: CVE-2011-4108, CVE-2012-0884, CVE-2012-1165, and CVE-2012-2333. Warning: Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). All users of JBoss Enterprise Web Server 1.0.2 for Solaris and Microsoft Windows as provided from the Red Hat Customer Portal are advised to apply this update. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2012 Red Hat, Inc. All rights reserved. Important https://rhn.redhat.com/errata/RHSA-2012-1306.html https://rhn.redhat.com/errata/RHSA-2012-1306.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2 This update also fixes additional security issues in OpenSSL that are not exposed in JBoss Enterprise Web Server: CVE-2011-4108, CVE-2012-0884, CVE-2012-1165, and CVE-2012-2333. 2012-01-04T00:00:00Z 2012-01-04T00:00:00Z CVE-2011-4108 Moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). The Apache HTTP Server must be restarted for this update to take effect. https://rhn.redhat.com/errata/RHSA-2012-1306.html https://www.redhat.com/security/data/cve/CVE-2011-4108.html CVE-2011-4108 https://bugzilla.redhat.com/show_bug.cgi?id=771770 bz#771770: CVE-2011-4108 openssl: DTLS plaintext recovery attack A double free flaw was discovered in the policy checking code in OpenSSL. A remote attacker could use this flaw to crash an application that uses OpenSSL by providing an X.509 certificate that has specially-crafted policy extension data. 2012-01-04T00:00:00Z 2012-01-04T00:00:00Z CVE-2011-4109 Moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). The Apache HTTP Server must be restarted for this update to take effect. https://rhn.redhat.com/errata/RHSA-2012-1306.html https://www.redhat.com/security/data/cve/CVE-2011-4109.html CVE-2011-4109 https://bugzilla.redhat.com/show_bug.cgi?id=771771 bz#771771: CVE-2011-4109 openssl: double-free in policy checks An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. 2012-01-04T00:00:00Z 2012-01-04T00:00:00Z CVE-2011-4576 Moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). The Apache HTTP Server must be restarted for this update to take effect. https://rhn.redhat.com/errata/RHSA-2012-1306.html https://www.redhat.com/security/data/cve/CVE-2011-4576.html CVE-2011-4576 https://bugzilla.redhat.com/show_bug.cgi?id=771775 bz#771775: CVE-2011-4576 openssl: uninitialized SSL 3.0 padding It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. 2012-01-04T00:00:00Z 2012-01-04T00:00:00Z CVE-2011-4619 Moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). The Apache HTTP Server must be restarted for this update to take effect. https://rhn.redhat.com/errata/RHSA-2012-1306.html https://www.redhat.com/security/data/cve/CVE-2011-4619.html CVE-2011-4619 https://bugzilla.redhat.com/show_bug.cgi?id=771780 bz#771780: CVE-2011-4619 openssl: SGC restart DoS attack This update also fixes additional security issues in OpenSSL that are not exposed in JBoss Enterprise Web Server: CVE-2011-4108, CVE-2012-0884, CVE-2012-1165, and CVE-2012-2333. 2012-03-12T00:00:00Z 2012-03-12T00:00:00Z CVE-2012-0884 Low 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). The Apache HTTP Server must be restarted for this update to take effect. https://rhn.redhat.com/errata/RHSA-2012-1306.html http://www.openssl.org/news/secadv_20120312.txt http://www.openssl.org/news/secadv_20120312.txt https://www.redhat.com/security/data/cve/CVE-2012-0884.html CVE-2012-0884 https://bugzilla.redhat.com/show_bug.cgi?id=802725 bz#802725: CVE-2012-0884 openssl: CMS and PKCS#7 Bleichenbacher attack This update also fixes additional security issues in OpenSSL that are not exposed in JBoss Enterprise Web Server: CVE-2011-4108, CVE-2012-0884, CVE-2012-1165, and CVE-2012-2333. 2012-03-12T00:00:00Z 2012-03-12T00:00:00Z CVE-2012-1165 Moderate 5.0 AV:N/AC:L/Au:N/C:N/I:N/A:P The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). The Apache HTTP Server must be restarted for this update to take effect. https://rhn.redhat.com/errata/RHSA-2012-1306.html https://www.redhat.com/security/data/cve/CVE-2012-1165.html CVE-2012-1165 https://bugzilla.redhat.com/show_bug.cgi?id=802489 bz#802489: CVE-2012-1165 openssl: mime_param_cmp NULL dereference crash Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code. 2012-04-19T00:00:00Z 2012-04-19T00:00:00Z CVE-2012-2110 Important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). The Apache HTTP Server must be restarted for this update to take effect. https://rhn.redhat.com/errata/RHSA-2012-1306.html http://www.openssl.org/news/secadv_20120419.txt http://www.openssl.org/news/secadv_20120419.txt https://www.redhat.com/security/data/cve/CVE-2012-2110.html CVE-2012-2110 https://bugzilla.redhat.com/show_bug.cgi?id=814185 bz#814185: CVE-2012-2110 openssl: asn1_d2i_read_bio integer errors leading to buffer overflow This update also fixes additional security issues in OpenSSL that are not exposed in JBoss Enterprise Web Server: CVE-2011-4108, CVE-2012-0884, CVE-2012-1165, and CVE-2012-2333. 2012-05-09T00:00:00Z 2012-05-10T00:00:00Z CVE-2012-2333 Moderate 5.0 AV:N/AC:L/Au:N/C:N/I:N/A:P The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). The Apache HTTP Server must be restarted for this update to take effect. https://rhn.redhat.com/errata/RHSA-2012-1306.html http://openssl.org/news/secadv_20120510.txt http://openssl.org/news/secadv_20120510.txt https://www.redhat.com/security/data/cve/CVE-2012-2333.html CVE-2012-2333 https://bugzilla.redhat.com/show_bug.cgi?id=820686 bz#820686: CVE-2012-2333 openssl: record length handling integer underflow Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Codenomicon as the original reporter.