TPS-2015-006 OpenSSL "Man-in-the-Middle" Vulnerability (CVE-2015-1793)

Introduction

This advisory describes the scope of the recently-announced, “high-severity” OpenSSL vulnerability classified as CVE-2015-1793. This vulnerability could allow “man-in-the-middle” attackers to impersonate HTTPS servers and snoop on encrypted traffic.

Described in the sections below are actions being taken by Joyent, and actions recommended for customers to take. This article is meant to be used in addition to our 18-June-2015 and 20-March-2015 advisories regarding previously-announced OpenSSL vulnerabilities.

Upgrading your own OpenSSL version 1.0.2b, 1.0.2c, 1.0.1n or 1.0.1o

Should customers choose to address this vulnerability by upgrading OpenSSL on their own, they are advised to upgrade as follows:

  • OpenSSL 1.0.2b and 1.0.2c users should upgrade to 1.0.2d
  • OpenSSL 1.0.1n and 1.0.1o users should upgrade to 1.0.1p

Joyent customers can address this and other recently-announced vulnerabilities by re-installing OpenSSL with the following command:

pkgin -y up && pkgin -y in openssl

Joyent-delivered software

CVE-2015-1793 and other vulnerabilities have been addressed in the most-currently-released versions of Joyent’s software and package repositories:

  • pkgin repository 2015Q2 (openssl-1.0.2d)
  • pkgin repository 2015Q1 (openssl-1.0.2d)
  • pkgin repository 2014Q4 (openssl-1.0.1p)
  • pkgin respository 2014Q2 (openssl-1.0.1p)
  • SmartDataCenter (SDC): The fix for this vulnerability is available in any platform image after 20150709.

Linux users

For any necessary remedial actions, please check the notices applicable to the Linux distro you are using:

Further questions

As before, please be assured that Joyent’s HTTPS endpoints for Manta, CloudAPI and our customer portal are not vulnerable.

Joyent customers who are using third-party operating systems are advised to contact their respective service providers for further information and instructions.

If you have followed the instructions above and further questions arise regarding mitigation of OpenSSL vulnerabilities (in Joyent products and services): Please contact Joyent Support by submitting a request at the support portal or by emailing support@joyent.com.