TPS-2015-007 OpenSSL OpenSSL Security Advisory
SmartOS Users
As per the table outlined below, users should update to the fixed release of the affected versions. For users running on the older 1.0.0 or 0.9.8 versions of OpenSSL, you are advised to upgrade to later versions of OpenSSL.
| CVE | Version(s) Affected | Fixed Release(s) | Where Available (pkgsrc repo) |
|---|---|---|---|
| CVE-2015-3193 | OpenSSL 1.0.2 | OpenSSL 1.0.2e | 2015Q3 |
| CVE-2015-3194 | OpenSSL 1.0.2, 1.0.1 | OpenSSL 1.0.2e, 1.0.1q | 2015Q3, 2014Q4 |
| CVE-2015-3195 | OpenSSL 1.0.2, 1.0.1, 1.0.0, 0.9.8 | OpenSSL 1.0.2e, 1.0.1q, 1.0.0t, 0.9.8zh | 2015Q3, 2014Q4 (only 1.0.2, 1.0.1) |
| CVE-2015-3196 | OpenSSL 1.0.2, 1.0.1, 1.0.0 | OpenSSL 1.0.2d, 1.0.1p, 1.0.0t | 2015Q3, 2014Q4 (only 1.0.2, 1.0.1) |
| CVE-2015-1794 | OpenSSL 1.0.2 | OpenSSL 1.0.2e | 2015Q3 |
You can determine whether OpenSSL is installed (as well as the version you have installed) by running:
pkgin ls | grep -i openssl
Customers can re-install OpenSSL with the following commands:
pkgin -y up && pkgin -y in openssl
Or, install the version needed (if only available in a different repository), by running:
pkg_add pkgsrc_path_to_package
For example, if you need to install OpenSSL version 1.0.2e from the 2015Q3 repository, but you are running on an image that is using a different repository, you can install the 1.0.2e version by running:
pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2015Q3/x86_64/All/openssl-1.0.2e.tgz
Linux Users
Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:
- Debian: https://www.debian.org/security/2015/dsa-3413
- Centos/Red Hat/Fedora: https://access.redhat.com/solutions/2076883
- Ubuntu: http://www.ubuntu.com/usn/usn-2830-1/
Joyent Manta, CloudAPI and Portal
Please be assured that any Joyent components identified as being affected will be updated.
Node.js Users
Versions v0.10.x through 4.x were affected. It is advised that you update node.js to the latest version releases:
- nodejs-0.10.41 (pending)
- nodejs-0.12.9 (available in 2014Q4 pkgsrc repo, pending availability in 2015* repo’s)
- nodejs-4.2.3 (available in 2014Q4 pkgsrc repo, pending availability in 2015* repo’s)
Please also take note of the most recently announced Node.js vulnerabilities outlined here.
We will continue to update this notice with any new information in due course, so please check back periodically for any new details.
ORIGINAL NOTICE
This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified OpenSSL security vulnerabilities CVE-2015-3193, CVE-2015-3194, CVE-2015-3195 and CVE-2015-3196. More information about these vulnerabilities can be reviewed here.
We believe these security vulnerabilities do not pose a significant threat at this time. However, in due course we will update this notice to confirm the actions taken by Joyent, and provide specific details of any required actions that will need to be taken by both JPC and SDC customers.
At any time, please do not hesitate to contact our Support team (by raising a ticket at https://help.joyent.com or by email to support@joyent.com) if you have any questions or concerns.