AnsweredAssumed Answered

OpenSSL oracle padding vulnerability(CVE-2016-2107) SEV 4 QID 38626

Question asked by harish sarva on Mar 2, 2017
Latest reply on Mar 29, 2018 by Matias Salimbene

hello, 

 

I have been told to 

Disable SSLv3 support to avoid this vulnerability.

Examples to disable SSLv3.
nginx: list specific allowed protocols in the ssl_protocols line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;
Apache: Add -SSLv3 to the SSLProtocol line.

So most of our machines are running splunkd (some of them httpd, nginx,stunnel) in addition to that my colleague asked me upgrade the openssl 

"Please upgrade OpenSSL.

Additionally we should always disable SSLv3 and use TLSv1.2."

and When I hit

yum info openssl 

Loaded plugins: fastestmirror, security

Repository base is listed more than once in the configuration

Repository pcc is listed more than once in the configuration

Repository sbrepo is listed more than once in the configuration

Repository updates is listed more than once in the configuration

Loading mirror speeds from cached hostfile

Installed Packages

Name        : openssl

Arch        : x86_64

Version     : 1.0.1e

Release     : 48.el6_8.1

Size        : 4.0 M

Repo        : installed

From repo   : updates

Summary     : A general purpose cryptography library with TLS implementation

URL         : http://www.openssl.org/

License     : OpenSSL

Description : The OpenSSL toolkit provides support for secure communications between

            : machines. OpenSSL includes a certificate management tool and shared

            : libraries which provide various cryptographic algorithms and

            : protocols.

 

Available Packages

Name        : openssl

Arch        : i686

Version     : 1.0.1e

Release     : 48.el6_8.1

Size        : 1.5 M

Repo        : updates

Summary     : A general purpose cryptography library with TLS implementation

URL         : http://www.openssl.org/

License     : OpenSSL

Description : The OpenSSL toolkit provides support for secure communications between

            : machines. OpenSSL includes a certificate management tool and shared

            : libraries which provide various cryptographic algorithms and

            : protocols.

 

And He has provided these info to upgrade openssl 

A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.

Affected Versions:
OpenSSL 1.0.2 prior to OpenSSL 1.0.2h OpenSSL 1.0.1 prior to OpenSSL 1.0.1t

OpenSSL version 1.0.2h and 1.0.1t have been released to address these issues.

Refer to https://www.openssl.org/news/secadv/20160503.txt to obtain more information.

but we can not upgrade the 1.0.1 prior to OpenSSL 1.0.1t since as its not in our standard repo. Can 1.0.1e-48 fix the problem. 

I am little confused here and how I can proceed. please give some solutions. 

And I attached scanned result after disabled the ssl3 please take a look 

Outcomes