The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSL CVE-2016-2107 and CVE-2016-2108

Discussion in 'Security' started by Dradden45, May 5, 2016.

  1. Dradden45

    Dradden45 Active Member

    Joined:
    Sep 7, 2012
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I cPanel working on a patch for these? As far as I know this would effect quite a large amount of servers.
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    We don't provide, or ship, OpenSSL. Patches need provided by Red Hat, CentOS, or Cloud Linux.
     
  3. Dradden45

    Dradden45 Active Member

    Joined:
    Sep 7, 2012
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Makes sense, seems to be taking quite some time for the fixes just to get to Fedora repos, nevermind Centos. Looks like it will be at least a day yet before anything is available.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    If you have automatic updates enabled for your system package manager (YUM), then you may find this command helpful:

    Code:
    rpm -q --changelog openssl | grep CVE
    It lists the patches included with the RPM, as the version number will not always change after an update. Ensure you run "yum update" manually from the command line once your OS vendor releases an update to address the issue, if you do not have automatic updates enabled.

    Thank you.
     
  5. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
    Has cpanel considered rolling their own OpenSSL RPM or adding ability for Apache provided by Cpanel to also utilise static OpenSSL version outside of CentOS system OpenSSL packages ? it would be useful in situations like this where CentOS/Redhat are slowly to release OpenSSL related fixes. This could also open up the possibility of using OpenSSL alternatives like LibreSSL compiled statically against Cpanel Apache version ?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The OpenSSL RPM provided by CentOS/Red Hat/Cloud Linux provides the functionality needed, and there are no plans to change this at this time. There was a feature request for LibreSSL marked as "Not Planned" last year at:

    Replace openssl with libressl

    Thank you.
     
  7. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
    FYI, CentOS 6.x has just pushed out CentOS 6.8 CR YUM repo fix for openssl vulnerability fix so you need to update via CR YUM repo Security - OpenSSL 1.0.h & Updating. CentOS 7.x openssl fix was released ~9 days ago already.

    Code:
    yum list updates --enablerepo=cr --disableplugin=priorities -q | grep openssl
    openssl.x86_64                            1.0.1e-48.el6_8.1                   cr
    openssl-devel.x86_64                      1.0.1e-48.el6_8.1                   cr
    CentOS 6.7 and below repo will not have openssl fixed version made available at all due to the complexities with CentOS 6.8 building Security - OpenSSL 1.0.h & Updating

    Code:
    rpm -qa --changelog openssl | head -n8
    * Mon May 02 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.1
    - fix CVE-2016-2105 - possible overflow in base64 encoding
    - fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
    - fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
    - fix CVE-2016-2108 - memory corruption in ASN.1 encoder
    - fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
    - fix CVE-2016-0799 - memory issues in BIO_printf
    I'd get updating your openssl packages as cpanel based servers have been vulnerable for days unless you have Apache/Nginx statically compiled against a fixed openssl version or using Litespeed web server with it's own openssl version statically compiled

    and remember to recompile Apache via easyapache !
     
    #7 eva2000, May 18, 2016
    Last edited: May 18, 2016
  8. meeven

    meeven Well-Known Member

    Joined:
    May 8, 2007
    Messages:
    124
    Likes Received:
    0
    Trophy Points:
    16
    That's very useful info, thanks. It explains why I got 'No Packages marked for Update' when I ran yum update openssl on my cPanel server running CentOS 6.7.

    Ssllabs.com reports the server as being vulnerable to CVE-2016-2107 and 2108. So, how do I fix the vulnerability if CentOS won't provide a patch for 6.7? It has close to 50 accounts and I can't possibly migrate all of them to another server running Centos 6.8 or above. Any suggestions?
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you elaborate on what's preventing you from updating CentOS 6.7 to CentOS 6.8? This should not require a server migration.

    Thank you.
     
Loading...

Share This Page