2016-03-01 - OpenSSL Vulnerabilities (DROWN)

March 1, 2016 OpenSSL announced the following security advisories: https://www.openssl.org/news/secadv/20160301.txt

Advisory CVEs

  • CVE-2016-0800 - Cross-protocol attack on TLS using SSLv2 (DROWN) (Severity:High)

    This issue affects OpenSSL versions 1.0.1 and 1.0.2.

    OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s

  • CVE-2016-0705 - Double-free in DSA code (Severity:Low)

    This issue affects OpenSSL versions 1.0.2 and 1.0.1.

    OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s

  • CVE-2016-0798 - Memory leak in SRP database lookups (Severity:Low)

    This issue affects OpenSSL versions 1.0.2 and 1.0.1.

    OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s

  • CVE-2016-0797 - BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (Severity:Low)

    This issue affects OpenSSL versions 1.0.2 and 1.0.1.

    OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s

  • CVE-2016-0797 - Fix memory issues in BIO_*printf functions (Severity:Low)

    This issue affects OpenSSL versions 1.0.2 and 1.0.1.

    OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s

  • CVE-2016-0702 - Side channel attack on modular exponentiation (Severity:Low)

    This issue affects OpenSSL versions 1.0.2 and 1.0.1.

    OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s

  • CVE-2016-0703 - Divide-and-conquer session key recovery in SSLv2 (Severity:High)

    This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf

  • CVE-2016-0704 - Bleichenbacher oracle in SSLv2 (Severity:Moderate)

    This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf

Action

xCAT uses OpenSSL for client-server communication but does not ship it. Regarding CVE-2016-0800, xCAT also does not use SSLv2 layer but uses the newer TLS transport layer security.

It is recommended to keep your OpenSSL levels up-to-date with the indicated versions in the security bulletins to prevent any potential security threats.