Amazon Linux AMI update for openssl

1) Cryptographic issues

EUVDB-ID: #VU33317

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-0169

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. Per http://www.openssl.org/news/vulnerabilities.html: Fixed in OpenSSL 1.0.1d (Affected 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) Fixed in OpenSSL 1.0.0k (Affected 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0) Fixed in OpenSSL 0.9.8y (Affected 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8) Affected users should upgrade to OpenSSL 1.0.1e, 1.0.0k or 0.9.8y (The fix in 1.0.1d wasn't complete, so please use 1.0.1e or later)

Mitigation

Update the affected packages:

i686:
    openssl-1.0.1e-37.66.amzn1.i686
    openssl-static-1.0.1e-37.66.amzn1.i686
    openssl-perl-1.0.1e-37.66.amzn1.i686
    openssl-devel-1.0.1e-37.66.amzn1.i686
    openssl-debuginfo-1.0.1e-37.66.amzn1.i686

src:
    openssl-1.0.1e-37.66.amzn1.src

x86_64:
    openssl-devel-1.0.1e-37.66.amzn1.x86_64
    openssl-1.0.1e-37.66.amzn1.x86_64
    openssl-debuginfo-1.0.1e-37.66.amzn1.x86_64
    openssl-perl-1.0.1e-37.66.amzn1.x86_64
    openssl-static-1.0.1e-37.66.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2014-320.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU5373

Risk: Critical

CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2014-0160

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an error in the TLS/DTLS heartbeat functionality. A remote attacker can read system memory contents without needing to log on to the server and retrieve private keys, passwords or other sensitive information

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.

Mitigation

Update the affected packages:

i686:
    openssl-1.0.1e-37.66.amzn1.i686
    openssl-static-1.0.1e-37.66.amzn1.i686
    openssl-perl-1.0.1e-37.66.amzn1.i686
    openssl-devel-1.0.1e-37.66.amzn1.i686
    openssl-debuginfo-1.0.1e-37.66.amzn1.i686

src:
    openssl-1.0.1e-37.66.amzn1.src

x86_64:
    openssl-devel-1.0.1e-37.66.amzn1.x86_64
    openssl-1.0.1e-37.66.amzn1.x86_64
    openssl-debuginfo-1.0.1e-37.66.amzn1.x86_64
    openssl-perl-1.0.1e-37.66.amzn1.x86_64
    openssl-static-1.0.1e-37.66.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2014-320.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.