CVE-2016-2107: OpenSSL Padding Oracle vulnerability

Created:

2016-11-16 13:19:38 UTC

Modified:

2017-08-17 04:14:30 UTC

5

Was this article helpful?


Have more questions?

Submit a request

CVE-2016-2107: OpenSSL Padding Oracle vulnerability

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk 11.x for Linux
  • Plesk 12.0 for Linux

Information

OpenSSL project announced security update, which among the other fixes countains solution for CVE-2016-2107, CVE-2016-2108 and CVE-2016-2109 vulnerabilities.

It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when the connection used the AES CBC cipher suite and the server supported AES-NI. A remote attacker could possibly use this flaw to retrieve plain text from encrypted packets by using a TLS/SSL or DTLS server as a padding oracle.

This issue affected versions of OpenSSL prior to April 2015. The bug causing the vulnerability was fixed on April 18th 2015, and released as part of the June 11th 2015 security releases. The security impact of the bug was not known at the time. In previous versions of OpenSSL, ASN.1 encoding the value zero represented as a negative integer can cause a buffer underflow with an out-of-bounds write in i2c_ASN1_INTEGER.

When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory.

Resolution

  • Plesk 12.5 on RedHat 5 and CentOS 5 fixed by: Plesk 12.5.30 MU#37 update.
  • For Plesk 12.0 on RedHat 5 and CentOS 5 fix is expected in nearest micro-mpdate.
  • Plesk 11.0-11.5 on RedHat 5 and CentOS 5 the data with update relese is not decided yet.

For all other Linux distrubutions but RedHat/CentOS 5 Plesk uses system OpenSSL library. If you have Plesk 11.x-12.5 installed over RedHat/CentOS 6 or Debian/Ubuntu server you should apply updates released by OS vendor and restart services:

RedHat/CentOS:

# yum update openssl
# service nginx restart
# service httpd restart

Debian/Ubuntu:

# apt-get upgrade openssl
# /etc/init.d/nginx restart
# /etc/init.d/apache2 restart

Plesk takes the security of our customers very seriously and encourages you to apply updates as soon as possible.

To check if the website is vulnerable you can evaluate it with SSLlabs online tool

Have more questions? Submit a request
Please sign in to leave a comment.