On 19 March 2015, the OpenSSL project team announced the release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf. These new versions of the OpenSSL toolkit fix several security issues, which have been rated by the Red Hat Product Security team as having a Moderate impact. Red Hat has worked to provide updated packages for all affected products and versions of OpenSSL distributed with these products.
Please, see the tables in this article for an overview of all Red Hat products that may potentially be affected by these issues and for a commentary regarding the status of the various identified CVEs.
Background Information
The OpenSSL implementation of the SSL and TLS protocols provides basic cryptographic functions, and the core OpenSSL library is used by a wide variety of components distributed with Red Hat products.
Impact
Please, see the tables below for a product-by-product overview of affected versions of OpenSSL. Links to relevant errata will be added as they become available.
Severity
Issues concerning OpenSSL 1.0.2 present the most serious problems fixed by the new releases. No Red Hat product uses this version of OpenSSL. Consequently, they are all labelled as not affected in the tables below.
Issues labelled as deferred were determined not to possess any significant security risk to the products using the affected version of OpenSSL, and as such they do not need to be addressed by security advisories at this time.
Red Hat Enterprise Linux 5
| CVE | Red Hat Enterprise Linux 5 package: openssl |
Red Hat Enterprise Linux 5 package: openssl097a |
|---|---|---|
| CVE-2015-0286 | not affected | not affected |
| CVE-2015-0287 | deferred | deferred |
| CVE-2015-0289 | deferred | deferred |
| CVE-2015-0292 | deferred | deferred |
| CVE-2015-0293 | deferred | deferred |
| CVE-2015-0288 | deferred | deferred |
| CVE-2015-0291 | not affected | not affected |
| CVE-2015-0290 | not affected | not affected |
| CVE-2015-0207 | not affected | not affected |
| CVE-2015-0208 | not affected | not affected |
| CVE-2015-1787 | not affected | not affected |
| CVE-2015-0285 | not affected | not affected |
| CVE-2015-0209 | not affected | not affected |
Red Hat Enterprise Linux 6
| CVE | Red Hat Enterprise Linux 6 package: openssl |
Red Hat Enterprise Linux 6 package: openssl098e |
|---|---|---|
| CVE-2015-0286 | affected | not affected |
| CVE-2015-0287 | affected | deferred |
| CVE-2015-0289 | affected | deferred |
| CVE-2015-0292 | affected | deferred |
| CVE-2015-0293 | affected | deferred |
| CVE-2015-0288 | affected | deferred |
| CVE-2015-0291 | not affected | not affected |
| CVE-2015-0290 | not affected | not affected |
| CVE-2015-0207 | not affected | not affected |
| CVE-2015-0208 | not affected | not affected |
| CVE-2015-1787 | not affected | not affected |
| CVE-2015-0285 | not affected | not affected |
| CVE-2015-0209 | affected | not affected |
Red Hat Enterprise Linux 7
| CVE | Red Hat Enterprise Linux 7 package: openssl |
Red Hat Enterprise Linux 7 package: openssl098e |
|---|---|---|
| CVE-2015-0286 | affected | not affected |
| CVE-2015-0287 | affected | deferred |
| CVE-2015-0289 | affected | deferred |
| CVE-2015-0292 | affected | deferred |
| CVE-2015-0293 | affected | deferred |
| CVE-2015-0288 | affected | deferred |
| CVE-2015-0291 | not affected | not affected |
| CVE-2015-0290 | not affected | not affected |
| CVE-2015-0207 | not affected | not affected |
| CVE-2015-0208 | not affected | not affected |
| CVE-2015-1787 | not affected | not affected |
| CVE-2015-0285 | not affected | not affected |
| CVE-2015-0209 | affected | not affected |
Red Hat JBoss Enterprise Application Platform,
Red Hat JBoss Web Server,
Red Hat Storage Server,
Red Hat Enterprise Virtualization Manager
| CVE | Red Hat JBoss EAP | Red Hat JBoss WS | RHSS | RHEV-M |
|---|---|---|---|---|
| CVE-2015-0286 | not affected | not affected | affected | affected |
| CVE-2015-0287 | affected | affected | affected | affected |
| CVE-2015-0289 | affected | affected | affected | affected |
| CVE-2015-0292 | affected | affected | affected | affected |
| CVE-2015-0293 | affected | affected | affected | affected |
| CVE-2015-0288 | affected | affected | affected | affected |
| CVE-2015-0291 | not affected | not affected | not affected | not affected |
| CVE-2015-0290 | not affected | not affected | not affected | not affected |
| CVE-2015-0207 | not affected | not affected | not affected | not affected |
| CVE-2015-0208 | not affected | not affected | not affected | not affected |
| CVE-2015-1787 | not affected | not affected | not affected | not affected |
| CVE-2015-0285 | not affected | not affected | not affected | not affected |
| CVE-2015-0209 | not affected | not affected | affected | affected |
Resolution
Install the updated OpenSSL packages referenced by the respective advisories as they become available.
To install the updates, use the yum package manager as follows:
yum update
To only update the OpenSSL package and its dependencies, use:
yum update openssl
Note: if the version of the OpenSSL package installed on your system is either openssl097a or openssl098e, use the respective package name in the command above.
Comments
With respect to CVE-2015-0207 ... I'm aware the openssl advisory says that this is 1.0.2 only but the reason for that limitation is not clear. The code changed by the fix for it, https://github.com/openssl/openssl/commit/e83ee04bb7de800cdb71d522fa562e99328003a3 was introduced via https://github.com/openssl/openssl/commit/1fc3ac806d7bc25ac477325a668b234a589b9556 and is identical in all versions of openssl back to 0.9.8.
If this is indeed a 1.0.2 regression as claimed by the advisory, then why exactly are the older releases not affected ? What protects/mitigates pre-1.0.2 ?
To be specific, the advisory on CVE-2015-0207 says "An example of such an error could be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only server.".
Now DTLS1.2 is openssl-1.0.2-only. But this says "an example", not "the only case". Is a protocol version mismatch really the only case of clienthello errors ?