Skip to navigation

Security Advisory Moderate: openssl security update

Advisory: RHSA-2013:0782-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-05-01
Last updated on: 2013-05-01
Affected Products:
CVEs (cve.mitre.org): CVE-2013-0166
CVE-2013-0169

Details

An update for the OpenSSL component for JBoss Enterprise Web Platform 5.2.0
for Solaris and Microsoft Windows that fixes two security issues is now
available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

A NULL pointer dereference flaw was found in the OCSP response verification
in OpenSSL. A malicious OCSP server could use this flaw to crash
applications performing OCSP verification by sending a specially-crafted
response. (CVE-2013-0166)

It was discovered that OpenSSL leaked timing information when decrypting
TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve plain
text from the encrypted packets by using a TLS/SSL or DTLS server as a
padding oracle. (CVE-2013-0169)

Warning: Before applying this update, back up your existing JBoss
Enterprise Web Platform installation (including all applications and
configuration files).

All users of JBoss Enterprise Web Platform 5.2.0 for Solaris and Microsoft
Windows as provided from the Red Hat Customer Portal are advised to apply
this update.


Solution

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing JBoss Enterprise Web Platform installation (including all
applications and configuration files).

JBoss server instances configured to use the Tomcat Native library must be
restarted for this update to take effect.

Updated packages


Bugs fixed (see bugzilla for more information)

907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
908052 - CVE-2013-0166 openssl: DoS due to improper handling of OCSP response verification


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/