CVE-2014-0224: CCS Injection Vulnerability could allow for a man-in-the-middle attack against an encrypted connection.
SSL/TLS connections typically allow for encrypted traffic to pass between two parties where only the intended senders and recipients can decrypt data. In the event of a man-in-the-middle attack, an attacker could intercept an encrypted data stream allowing them to decrypt, view and then manipulate said data.
The vulnerability can only be exploited if both server and client are vulnerable to this issue. In the event that one of the two is vulnerable, there is no risk of exploitation. Servers running OpenSSL versions below 1.0.1 are not vulnerable but those who are using higher version are affected.
Clients using OpenSSL versions below 1.0.1 connecting to servers running OpenSSL versions 1.0.1 and higher are vulnerable and should be updated.
To apply the changes on running servers, you can manually update the built-in OpenSSL version. To apply the update to new servers that are launched, you can change the software repository date to install the latest OpenSSL version.
Note: If you are using a version of a v13 ServerTemplate (published by RightScale) your server may already have the security updates feature enabled. If enabled (Enable security updates = text:enable), you can reboot the server to automatically apply the patch to a running server.
On a running Ubuntu 12.04-LTS server, navigate to the server's Scripts tab in the dashboard and run the recipe rightscale::setup_security_updates. This is usually located in the Boot Scripts section. In the confirmation window, click the "Show advanced" option and select "text: enable" from the dropdown then click Continue. (Note: This will ONLY unfreeze the security repository, which will allow the latest security updates to be installed.)
After the recipe completed successfully, verify if the repository changed properly :
~# cat /etc/apt/sources.list.d/rightscale.sources.list |grep -i security deb http://cf-mirror.rightscale.com/ubuntu_daily/latest precise-security main restricted multiverse universe deb http://island5.rightscale.com/ubuntu_daily/latest precise-security main restricted multiverse universe
Once the security repository has been changed, you can proceed applying the security update on the server by running the rightscale::do_security_updates operational script. This will do a system package update to download and install the latest security patches.
Again, once the recipe is completed, you can ssh into the server to verify that the 'openssl' package was properly updated to the latest version:
Ubuntu 14.04 LTS:
Ubuntu 12.04 LTS:
After a standard system update, a system reboot is recommended to apply all the necessary changes.
For new servers, enable the security update input before launching the server. This can be found under the RIGHTSCALE category. (Note: It's an advanced input so you must click on the "Show advanced inputs" option to see it in the dashboard.
Enable security updates rightscale/security_updates text:enable
Unfortunately, the steps outlined above cannot be used for CentOS without running the risk of updating other packages, which might break package compatibility. The problem with CentOS is that it does not allow you to do a security update alone (whereas Ubuntu does because of a separate security repository). The only way to apply the latest security updates is to unfreeze all repos and update from latest.
openssl-1.0.1e-16.el6_5.14.x86_64.rpm openssl-devel-1.0.1e-16.el6_5.14.x86_64.rpm openssl-static-1.0.1e-16.el6_5.14.x86_64.rpm
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.