I am running Centos 6.4 with Apache 2.2 on a Linux VPS and I have recently upgraded my OpenSSL to version 1.0.2h. I am scoring an F on the CA Security Council SSL report due to the OpenSSL Padding Oracle vuln. (CVE-2016-2107). Yum update doesn't do anything. How do I repair this vulnerability?
Asked
Active
Viewed 4,395 times
1
-
Centos 6 doesn't come with openssl 1.0.2h. How did you install this? If you replaced the Centos version with something else you can't rely on their updates anymore. – Håkan Lindqvist Jul 09 '16 at 22:50
-
Why are you stuck on 6.4? – Michael Hampton Jul 09 '16 at 23:06
-
@user1780242 You should at the very least follow the Centos 6 track (6.8 is current) and probably consider upgrading to Centos 7 at some point. – Håkan Lindqvist Jul 09 '16 at 23:23
-
You haven't updated the system for several years! A new vulnerability is probably the least of your worries. Start by getting up to date. – Michael Hampton Jul 10 '16 at 00:08
1 Answers
2
Centos fixed the CVE-2016-2107 vulnerability in package version 1.0.1e-48.el6_8.1 (for Centos 6), which corresponds to RHSA-2016-0996.
However, you are saying that you have installed a later openssl version (version 1.0.2h, which supposedly is not vulnerable to this). It's unclear how exactly this was installed and if you now instead have two openssl versions side by side, possibly with some software built for one and other software built for the other version.
Can you verify which version that Apache actually uses? I'm guessing that if it's the Centos packaged Apache httpd it will still be using their openssl library, while yours is sitting somewhere on the side.
Håkan Lindqvist
- 35,011
- 5
- 69
- 94
-
@user1780242 Yes, but that just answers which version the first `openssl` executable in `$PATH` is, not which library is used by anything else. – Håkan Lindqvist Jul 09 '16 at 23:15
-
@user1780242 Something like `ldd mod_ssl.so | grep libssl` (wherever the mod_ssl file is located). – Håkan Lindqvist Jul 09 '16 at 23:20
-
@user1780242 Ok, and am I right to guess that `/usr/lib64/libssl.so.10` is the Centos provided library? While yours is probably in /usr/local/lib or whatnot? – Håkan Lindqvist Jul 09 '16 at 23:24
-
@user1780242 Well, I had a look at a Centos 6 system and unless you have overwritten the distro-provided stuff it's a symlink `libssl.so.10 -> libssl.so.1.0.1e` – Håkan Lindqvist Jul 09 '16 at 23:46
-
@user1780242 "new install"? Apache mod_ssl is built for their version, if you just install their 1.0.1e-48.el6_8.1 update apache should be fixed. It's unclear to me if anything uses your 1.0.2h version. – Håkan Lindqvist Jul 09 '16 at 23:52
-
@user1780242 Yes, if you want to get rid of it (which might make sense if it's not used by anything). – Håkan Lindqvist Jul 10 '16 at 00:03
-
@user1780242 Normally you would just `yum update` to stay current. I'm not sure what yum repos you have set up, if you are currently sticking to 6.4 rather than just getting the latest Centos 6 updates. – Håkan Lindqvist Jul 10 '16 at 00:20
-
@user1780242 No, just no. You fix whatever problem you have with yum and install all the updates you should have had for years. In theory, `rpm` (or even `yum` depending on exactly what you want) would be the tool to use to manually install a package file (not extracting it and doing something with the contents by hand) but that is not what makes sense in this scenario. Use yum, and if there's something about the apparent yum issue that warrants a question, I think that should better be a separate question. – Håkan Lindqvist Jul 10 '16 at 02:16
-
@user1780242 From what I've heard it sounds like the distro-provided 1.0.1e version is untouched and you have a manually installed 1.0.2h in `/usr/local/ssl`? – Håkan Lindqvist Jul 10 '16 at 02:26
-
@user1780242 The reason why I referred to there being some form of problem with yum is because you don't have the current packages despite updating all packages (normally you would have had 1.0.1e-48.el6_8.1 for months). As for your 1.0.2h stuff, unless you know something that has not been made clear, it does not appear to be relevant to the question as apache is using 1.0.1e, right? – Håkan Lindqvist Jul 10 '16 at 02:52
-
@user1780242 From what you have told me it sounds like you have two openssl installations side by side. Everything from Centos uses theirs and you use yours when you invoke `openssl` on the command line (based on ordering in `$PATH`). Probably `/usr/bin/openssl version` or something along those lines will print a different version number. – Håkan Lindqvist Jul 10 '16 at 03:00
-
@user1780242 Does that mean that you have overwritten part of the centos openssl files? That would make this way more of a mess.... – Håkan Lindqvist Jul 10 '16 at 03:07
-
If you will kindly delete your comments/answers on this question I will delete the question. It has contributed to a question ban and I'd like to get it reversed. Thanks. – user1780242 Aug 30 '16 at 00:30