TPS-2015-002 Addressing Recent OpenSSL Vulnerabilities

The following sections describe the scope of several recently-announced Open SSL Vulnerabilities. We have included actions being taken by Joyent, and actions recommended for customers to take.

CVEs specific to OpenSSL version 1.0.2

Joyent has never shipped any versions of OpenSSL version 1.0.2 to customers, either in pkgsrc or as part of SmartDataCenter (SDC). If we do ship 1.0.2 versions in the future, they will be those versions known to contain the recent security fixes.

Should customers choose to upgrade OpenSSL on their own, they are advised to use version 1.0.2a or later to address the following vulnerabilities:

  • OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
  • Multiblock corrupted pointer (CVE-2015-0290)
  • Segmentation fault in DTLSv1_listen (CVE-2015-0207)
  • Segmentation fault for invalid PSS parameters (CVE-2015-0208)
  • Empty CKE with client auth and DHE (CVE-2015-1787)
  • Handshake with unseeded PRNG (CVE-2015-0285)

Previously-addressed CVE

The following vulnerability has already been patched, in response to previous announcements from the OpenSSL project:

  • Base64 decode (CVE-2015-0292)

CVEs addressed in current Joyent-delivered software

The CVEs listed in this section have been addressed in the most-currently-released versions of Joyent’s software and package repositories:

  • pkgin repository 2014Q4 (delivered in base images 14.4.x LTS)
  • SDC platform images released after 25-March-2015
  • Software in pkgin repository 2014Q2 will be patched and packages are being rebuilt, delivery expected 31-March-2015 or sooner

The applicable CVEs are:

  • Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
  • ASN.1 structure reuse memory corruption (CVE-2015-0287)
  • PKCS7 NULL pointer dereferences (CVE-2015-0289)
  • DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
  • Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
  • X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)

Further questions

Joyent customers who are using third-party operating systems are advised to contact their respective service providers for further information and instructions.

If you have followed the questions above and further questions arise regarding mitigation of these OpenSSL vulnerabilities (in Joyent products and services), please contact Joyent Support by emailing support@joyent.com or submitting a request at the Customer Support portal.