SB2014040702 - Amazon Linux AMI update for openssl
Published: April 7, 2014 Updated: April 4, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Cryptographic issues (CVE-ID: CVE-2013-0169)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. Per http://www.openssl.org/news/vulnerabilities.html: Fixed in OpenSSL 1.0.1d (Affected 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) Fixed in OpenSSL 1.0.0k (Affected 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0) Fixed in OpenSSL 0.9.8y (Affected 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8) Affected users should upgrade to OpenSSL 1.0.1e, 1.0.0k or 0.9.8y (The fix in 1.0.1d wasn't complete, so please use 1.0.1e or later)
2) Information disclosure (CVE-ID: CVE-2014-0160)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to an error in the TLS/DTLS heartbeat functionality. A remote attacker can read system memory contents without needing to log on to the server and retrieve private keys, passwords or other sensitive information
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
Remediation
Install update from vendor's website.