AnsweredAssumed Answered

False OpenSSL CVE-2014-0224 alarm openssl on CentOS 6 and chef 11

Question asked by Stephen Sykes on Jul 5, 2015
Latest reply on Jul 25, 2015 by Stephen Sykes

We have a server running CentOS 6.6 and Chef 11.1.6.  Each have their own openssl installed.

 

Chef reports that version 11.1.6 is patched for OpenSSL CVE-2014-0224 (Chef Releases for OpenSSL (CVE-2014-0224) Vulnerability | Chef Blog) and I've verified that's what we're running:

cat /opt/chef-server/version-manifest.json
{
  "format_version": "0.0.1",
  "platform": "el",
  "platform_version": "6.5",
  "arch": "x86_64",
  "version": "11.1.6"
}

 

Centos patched the vulnerability and I've verified the current version includes this patch, s indicated in the change log for the openssl version:

sudo rpm -q --changelog openssl | grep CVE-2014-0224
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability

 

Yet ssl labs and Softlayer's nessus scanner indicates the vulnerability still exists.

 

Any ideas as to what is happening?

Outcomes