Join the community today
Become a Member

Nginx NGINX and the 05 June 2014 OpenSSL Security Advisory

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Jun 6, 2014.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    54,394
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    10:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    What is the impact on NGINX of CVE-2014-0224 and related OpenSSL vulnerabilities?

    The OpenSSL project announced fixes to 7 security vulnerabilities on 5 June 2014. The details are described in their Security Advisory.

    The vulnerabilities will potentially affect any server application (such as NGINX) that uses OpenSSL to terminate SSL/TLS traffic, and they may be exploited to create a Man-in-the-Middle (MitM) attack or a variety of denial-of-service and data corruption issues:

    • SSL/TLS MITM vulnerability (CVE-2014-0224)
    • DTLS recursion flaw (CVE-2014-0221)
    • DTLS invalid fragment vulnerability (CVE-2014-0195)
    • SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
    • SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
    • Anonymous ECDH denial of service (CVE-2014-3470)
    • “Other Issues” (CVE-2014-0076)
    NGINX Plus

    NGINX Plus is the commercially-supported version of NGINX, adding load balancing, high-availability and management features.

    Read more...


    The advice from the OpenSSL project is as follows:

    OpenSSL 0.9.8 SSL/TLS users should upgrade to 0.9.8za.
    OpenSSL 1.0.0 SSL/TLS users should upgrade to 1.0.0m.
    OpenSSL 1.0.1 SSL/TLS users should upgrade to 1.0.1h.
    Does your NGINX install use your OS vendor’s instance of OpenSSL?


    NGINX builds provided by Nginx (but not for Windows) or through a third party repository are usually dynamically linked to the operating system’s instance of libssl.so:

    $ ldd `which nginx` | grep ssl

    libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f82e62bf000)

    In this case, you can verify the precise version of openssl as follows (note that the library name does not contain the exact version number):

    $ strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep "^OpenSSL "
    OpenSSL 1.0.1f 6 Jan 2014


    Output on your system may vary. You can also run ‘openssl version‘, although this may give incorrect results if there are several instances of OpenSSL on your server.

    If you are running an affected version of libssl (or even if you are not) you should upgrade to the latest openssl build provided by your operating system vendor, and then restart the NGINX software so that it uses the updated library. Check your vendor’s response to CVE-2014-0224 and the other vulnerabilities cited by OpenSSL to determine the correct upgrade process; for example:


    Please note that some Linux operating systems vendors may release fixed packages that still bear an earlier OpenSSL name, electing to include just the fix for CVE-2014-0224 and related vulnerabilities in their packages in order to provide a small update quickly.

    Does your NGINX install use a statically-linked instance of OpenSSL?


    If you have compiled nginx yourself, you may have statically linked the openssl libraries. The ldd test will reveal no dependencies on the operating system libssl.so library. nginx -V will give you the compile-time options which should reveal the options you used:

    $ ./objs/nginx -V

    nginx version: nginx/1.7.1

    built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)

    configure arguments: --with-cc-opt=-I../openssl-1.0.1f/include
    --with-ld-opt='-L../openssl-1.0.1f -Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic -ldl'
    --with-openssl=../openssl-1.0.1f


    If you are using a vulnerable version of openssl, you will need to recompile NGINX using a fixed version.


    Are you using the NGINX Windows binaries?


    NGINX for Windows, as distributed by nginx.org, are statically linked with OpenSSL. The builds for 1.7.1 and 1.6.0 that are now available from nginx.org have been updated with the new OpenSSL implementations.

    The post NGINX and the 05 June 2014 OpenSSL Security Advisory appeared first on NGINX.

    Continue reading...
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,394
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    10:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For Redhat and CentOS
    Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches.

    Fixed version is 1.0.1e-16.el6_5.14

    Code:
     yum list update openssl -q                                  
    Installed Packages
    openssl.i686                                                           1.0.1e-16.el6_5.7                                                            installed
    Available Packages
    openssl.i686                                                           1.0.1e-16.el6_5.14                                                           updates  
    Done for forums Nginx/OpenSSL 1.0.1h (note Nginx on Centmin Mod builds against a statically linked OpenSSL version defined in centmin.sh variable OPENSSL_VER)

     
    Last edited: Jun 6, 2014
  3. eva2000

    eva2000 Administrator Staff Member

    54,394
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    10:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+