ID

VAR-201410-1418

CVE

CVE-2014-3566

TITLE

Red Hat Security Advisory 2014-1880-01

DESCRIPTION

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. SSL protocol is the abbreviation of Secure Socket Layer protocol (Secure Socket Layer) developed by Netscape, which provides security and data integrity guarantee for Internet communication. There is a security vulnerability in the SSL protocol 3.0 version used in OpenSSL 1.0.1i and earlier versions. The vulnerability is caused by the program's use of non-deterministic CBC padding. Attackers can use padding-oracle attacks to exploit this vulnerability to implement man-in-the-middle attacks and obtain plaintext data. 7) - x86_64 3. Bugs fixed (https://bugzilla.redhat.com/): 1071210 - CVE-2014-6512 OpenJDK: DatagramSocket connected socket missing source check (Libraries, 8039509) 1150155 - CVE-2014-6506 OpenJDK: insufficient permission checks when setting resource bundle on system logger (Libraries, 8041564) 1150651 - CVE-2014-6531 OpenJDK: insufficient ResourceBundle name check (Libraries, 8044274) 1150669 - CVE-2014-6502 OpenJDK: LogRecord use of incorrect CL when loading ResourceBundle (Libraries, 8042797) 1151046 - CVE-2014-6457 OpenJDK: Triple Handshake attack against TLS/SSL connections (JSSE, 8037066) 1151063 - CVE-2014-6558 OpenJDK: CipherInputStream incorrect exception handling (Security, 8037846) 1151517 - CVE-2014-6511 ICU: Layout Engine ContextualSubstitution missing boundary checks (JDK 2D, 8041540) 1152756 - CVE-2014-6532 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152757 - CVE-2014-6503 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152758 - CVE-2014-6456 Oracle JDK: unspecified vulnerability fixed in 7u71 and 8u25 (Deployment) 1152759 - CVE-2014-6492 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152760 - CVE-2014-6493 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152761 - CVE-2014-4288 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152763 - CVE-2014-6458 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152765 - CVE-2014-6476 Oracle JDK: unspecified vulnerability fixed in 7u71 and 8u25 (Deployment) 1152766 - CVE-2014-6515 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152767 - CVE-2014-6527 Oracle JDK: unspecified vulnerability fixed in 7u71 and 8u25 (Deployment) 1152789 - CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack 1162554 - CVE-2014-3065 IBM JDK: privilege escalation via shared class cache 6. HP Asset Manager all supported versions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-openjdk security update Advisory ID: RHSA-2015:0067-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0067.html Issue date: 2015-01-21 CVE Names: CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395 CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412 ===================================================================== 1. Summary: Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1123870 - CVE-2015-0383 OpenJDK: insecure hsperfdata temporary file handling (Hotspot, 8050807) 1152789 - CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack 1183020 - CVE-2014-6601 OpenJDK: class verifier insufficient invokespecial calls verification (Hotspot, 8058982) 1183021 - CVE-2015-0412 OpenJDK: insufficient code privileges checks (JAX-WS, 8054367) 1183023 - CVE-2015-0408 OpenJDK: incorrect context class loader use in RMI transport (RMI, 8055309) 1183031 - CVE-2015-0395 OpenJDK: phantom references handling issue in garbage collector (Hotspot, 8047125) 1183043 - CVE-2015-0407 OpenJDK: directory information leak via file chooser (Swing, 8055304) 1183044 - CVE-2015-0410 OpenJDK: DER decoder infinite loop (Security, 8059485) 1183049 - CVE-2014-6593 OpenJDK: incorrect tracking of ChangeCipherSpec during SSL/TLS handshake (JSSE, 8057555) 1183645 - CVE-2014-6585 ICU: font parsing OOB read (OpenJDK 2D, 8055489) 1183646 - CVE-2014-6591 ICU: font parsing OOB read (OpenJDK 2D, 8056276) 1183715 - CVE-2014-6587 OpenJDK: MulticastSocket NULL pointer dereference (Libraries, 8056264) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.src.rpm i386: java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.i686.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el6_6.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.i686.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el6_6.i686.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el6_6.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el6_6.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.src.rpm x86_64: java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): noarch: java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el6_6.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.src.rpm i386: java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.i686.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el6_6.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.i686.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el6_6.i686.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el6_6.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el6_6.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.src.rpm i386: java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.i686.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el6_6.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.i686.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el6_6.i686.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el6_6.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el6_6.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0.src.rpm x86_64: java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-headless-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.2.el7_0.noarch.rpm x86_64: java-1.7.0-openjdk-accessibility-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0.src.rpm x86_64: java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-headless-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.2.el7_0.noarch.rpm x86_64: java-1.7.0-openjdk-accessibility-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0.src.rpm ppc64: java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0.ppc64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.2.el7_0.ppc64.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.2.el7_0.ppc64.rpm java-1.7.0-openjdk-headless-1.7.0.75-2.5.4.2.el7_0.ppc64.rpm s390x: java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0.s390x.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.2.el7_0.s390x.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.2.el7_0.s390x.rpm java-1.7.0-openjdk-headless-1.7.0.75-2.5.4.2.el7_0.s390x.rpm x86_64: java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-headless-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.2.el7_0.noarch.rpm ppc64: java-1.7.0-openjdk-accessibility-1.7.0.75-2.5.4.2.el7_0.ppc64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.2.el7_0.ppc64.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.2.el7_0.ppc64.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.2.el7_0.ppc64.rpm s390x: java-1.7.0-openjdk-accessibility-1.7.0.75-2.5.4.2.el7_0.s390x.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.2.el7_0.s390x.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.2.el7_0.s390x.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.2.el7_0.s390x.rpm x86_64: java-1.7.0-openjdk-accessibility-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0.src.rpm x86_64: java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-headless-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.2.el7_0.noarch.rpm x86_64: java-1.7.0-openjdk-accessibility-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-3566 https://access.redhat.com/security/cve/CVE-2014-6585 https://access.redhat.com/security/cve/CVE-2014-6587 https://access.redhat.com/security/cve/CVE-2014-6591 https://access.redhat.com/security/cve/CVE-2014-6593 https://access.redhat.com/security/cve/CVE-2014-6601 https://access.redhat.com/security/cve/CVE-2015-0383 https://access.redhat.com/security/cve/CVE-2015-0395 https://access.redhat.com/security/cve/CVE-2015-0407 https://access.redhat.com/security/cve/CVE-2015-0408 https://access.redhat.com/security/cve/CVE-2015-0410 https://access.redhat.com/security/cve/CVE-2015-0412 https://access.redhat.com/security/updates/classification/#critical https://bugzilla.redhat.com/show_bug.cgi?id=1152789#c82 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUwDLdXlSAg2UNWIIRAvITAJwNYQcKMQzMcUxd8kN51Ur4EaIwZACfa3pb CKtb1wylDFTrIMgCbaIMeCc= =QHW4 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . References: CVE-2014-0224 Heartbleed - Remote Unauthorized Access, Disclosure of Information CVE-2014-3566 POODLE - Remote Disclosure of Information CVE-2014-6271 Shellshock - Remote Code Execution CVE-2014-7169 Shellshock - Remote Code Execution SSRT101835 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP 3PAR Service Processor (SP) versions prior to SP-4.1.0.GA-97.P011, SP-4.2.0.GA-29.P003, and SP-4.3.0.GA-17.P001. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2015-01-27-4 OS X 10.10.2 and Security Update 2015-001 OS X 10.10.2 and Security Update 2015-001 are now available and address the following: AFP Server Available for: OS X Mavericks v10.9.5 Impact: A remote attacker may be able to determine all the network addresses of the system Description: The AFP file server supported a command which returned all the network addresses of the system. This issue was addressed by removing the addresses from the result. CVE-ID CVE-2014-4426 : Craig Young of Tripwire VERT bash Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Multiple vulnerabilities in bash, including one that may allow local attackers to execute arbitrary code Description: Multiple vulnerabilities existed in bash. These issues were addressed by updating bash to patch level 57. CVE-ID CVE-2014-6277 CVE-2014-7186 CVE-2014-7187 Bluetooth Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer signedness error existed in IOBluetoothFamily which allowed manipulation of kernel memory. This issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems. CVE-ID CVE-2014-4497 Bluetooth Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory. The issue was addressed through additional input validation. CVE-ID CVE-2014-8836 : Ian Beer of Google Project Zero Bluetooth Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple security issues existed in the Bluetooth driver, allowing a malicious application to execute arbitrary code with system privilege. The issues were addressed through additional input validation. CVE-ID CVE-2014-8837 : Roberto Paleari and Aristide Fattori of Emaze Networks CFNetwork Cache Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Website cache may not be fully cleared after leaving private browsing Description: A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. CVE-ID CVE-2014-4460 CoreGraphics Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4481 : Felipe Andres Manzano of the Binamuse VRT, via the iSIGHT Partners GVP Program CPU Software Available for: OS X Yosemite v10.10 and v10.10.1, for: MacBook Pro Retina, MacBook Air (Mid 2013 and later), iMac (Late 2013 and later), Mac Pro (Late 2013) Impact: A malicious Thunderbolt device may be able to affect firmware flashing Description: Thunderbolt devices could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates. CVE-ID CVE-2014-4498 : Trammell Hudson of Two Sigma Investments CommerceKit Framework Available for: OS X Yosemite v10.10 and v10.10.1 Impact: An attacker with access to a system may be able to recover Apple ID credentials Description: An issue existed in the handling of App Store logs. The App Store process could log Apple ID credentials in the log when additional logging was enabled. This issue was addressed by disallowing logging of credentials. CVE-ID CVE-2014-4499 : Sten Petersen CoreGraphics Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Some third-party applications with non-secure text entry and mouse events may log those events Description: Due to the combination of an uninitialized variable and an application's custom allocator, non-secure text entry and mouse events may have been logged. This issue was addressed by ensuring that logging is off by default. This issue did not affect systems prior to OS X Yosemite. CVE-ID CVE-2014-1595 : Steven Michaud of Mozilla working with Kent Howard CoreGraphics Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of PDF files. The issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems. CVE-ID CVE-2014-8816 : Mike Myers, of Digital Operatives LLC CoreSymbolication Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple type confusion issues existed in coresymbolicationd's handling of XPC messages. These issues were addressed through improved type checking. CVE-ID CVE-2014-8817 : Ian Beer of Google Project Zero FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Processing a maliciously crafted .dfont file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of .dfont files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4484 : Gaurav Baruah working with HP's Zero Day Initiative FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4483 : Apple Foundation Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Viewing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the XML parser. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4485 : Apple Intel Graphics Driver Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Multiple vulnerabilities in Intel graphics driver Description: Multiple vulnerabilities existed in the Intel graphics driver, the most serious of which may have led to arbitrary code execution with system privileges. This update addresses the issues through additional bounds checks. CVE-ID CVE-2014-8819 : Ian Beer of Google Project Zero CVE-2014-8820 : Ian Beer of Google Project Zero CVE-2014-8821 : Ian Beer of Google Project Zero IOAcceleratorFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOAcceleratorFamily's handling of certain IOService userclient types. This issue was addressed through improved validation of IOAcceleratorFamily contexts. CVE-ID CVE-2014-4486 : Ian Beer of Google Project Zero IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A buffer overflow existed in IOHIDFamily. This issue was addressed with improved bounds checking. CVE-ID CVE-2014-4487 : TaiG Jailbreak Team IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in IOHIDFamily's handling of resource queue metadata. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4488 : Apple IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of event queues. This issue was addressed through improved validation of IOHIDFamily event queue initialization. CVE-ID CVE-2014-4489 : @beist IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Executing a malicious application may result in arbitrary code execution within the kernel Description: A bounds checking issue existed in a user client vended by the IOHIDFamily driver which allowed a malicious application to overwrite arbitrary portions of the kernel address space. The issue is addressed by removing the vulnerable user client method. CVE-ID CVE-2014-8822 : Vitaliy Toropov working with HP's Zero Day Initiative IOKit Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero IOUSBFamily Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A privileged application may be able to read arbitrary data from kernel memory Description: A memory access issue existed in the handling of IOUSB controller user client functions. This issue was addressed through improved argument validation. CVE-ID CVE-2014-8823 : Ian Beer of Google Project Zero Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Specifying a custom cache mode allowed writing to kernel read-only shared memory segments. This issue was addressed by not granting write permissions as a side-effect of some custom cache modes. CVE-ID CVE-2014-4495 : Ian Beer of Google Project Zero Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-8824 : @PanguTeam Kernel Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A local attacker can spoof directory service responses to the kernel, elevate privileges, or gain kernel execution Description: Issues existed in identitysvc validation of the directory service resolving process, flag handling, and error handling. This issue was addressed through improved validation. CVE-ID CVE-2014-8825 : Alex Radocea of CrowdStrike Kernel Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A local user may be able to determine kernel memory layout Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization. CVE-ID CVE-2014-4371 : Fermin J. Serna of the Google Security Team CVE-2014-4419 : Fermin J. Serna of the Google Security Team CVE-2014-4420 : Fermin J. Serna of the Google Security Team CVE-2014-4421 : Fermin J. Serna of the Google Security Team Kernel Available for: OS X Mavericks v10.9.5 Impact: A person with a privileged network position may cause a denial of service Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking. CVE-ID CVE-2011-2391 Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2014-4491 : @PanguTeam, Stefan Esser Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. This issue was addressed through relocation of the metadata. CVE-ID CVE-2014-4461 : @PanguTeam LaunchServices Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious JAR file may bypass Gatekeeper checks Description: An issue existed in the handling of application launches which allowed certain malicious JAR files to bypass Gatekeeper checks. This issue was addressed through improved handling of file type metadata. CVE-ID CVE-2014-8826 : Hernan Ochoa of Amplia Security libnetcore Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious, sandboxed app can compromise the networkd daemon Description: Multiple type confusion issues existed in networkd's handling of interprocess communication. By sending networkd a maliciously formatted message, it may have been possible to execute arbitrary code as the networkd process. The issue is addressed through additional type checking. CVE-ID CVE-2014-4492 : Ian Beer of Google Project Zero LoginWindow Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A Mac may not lock immediately upon wake Description: An issue existed in the rendering of the lock screen. This issue was address through improved screen rendering while locked. CVE-ID CVE-2014-8827 : Xavier Bertels of Mono, and multiple OS X seed testers lukemftp Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Using the command line ftp tool to fetch files from a malicious http server may lead to arbitrary code execution Description: A command injection issue existed in the handling of HTTP redirects. This issue was addressed through improved validation of special characters. CVE-ID CVE-2014-8517 OpenSSL Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Multiple vulnerabilities in OpenSSL 0.9.8za, including one that may allow an attacker to downgrade connections to use weaker cipher-suites in applications using the library Description: Multiple vulnerabilities existed in OpenSSL 0.9.8za. These issues were addressed by updating OpenSSL to version 0.9.8zc. CVE-ID CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 Sandbox Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A design issue existed in the caching of sandbox profiles which allowed sandboxed applications to gain write access to the cache. This issue was addressed by restricting write access to paths containing a "com.apple.sandbox" segment. This issue does not affect OS X Yosemite v10.10 or later. CVE-ID CVE-2014-8828 : Apple SceneKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application could execute arbitrary code leading to compromise of user information Description: Multiple out of bounds write issues existed in SceneKit. These issues were addressed through improved bounds checking. CVE-ID CVE-2014-8829 : Jose Duart of the Google Security Team SceneKit Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Viewing a maliciously crafted Collada file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in SceneKit's handling of Collada files. Viewing a maliciously crafted Collada file may have led to an unexpected application termination or arbitrary code execution. This issue was addressed through improved validation of accessor elements. CVE-ID CVE-2014-8830 : Jose Duart of Google Security Team Security Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A downloaded application signed with a revoked Developer ID certificate may pass Gatekeeper checks Description: An issue existed with how cached application certificate information was evaluated. This issue was addressed with cache logic improvements. CVE-ID CVE-2014-8838 : Apple security_taskgate Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: An app may access keychain items belonging to other apps Description: An access control issue existed in the Keychain. Applications signed with self-signed or Developer ID certificates could access keychain items whose access control lists were based on keychain groups. This issue was addressed by validating the signing identity when granting access to keychain groups. CVE-ID CVE-2014-8831 : Apple Spotlight Available for: OS X Yosemite v10.10 and v10.10.1 Impact: The sender of an email could determine the IP address of the recipient Description: Spotlight did not check the status of Mail's "Load remote content in messages" setting. This issue was addressed by improving configuration checking. CVE-ID CVE-2014-8839 : John Whitehead of The New York Times, Frode Moe of LastFriday.no Spotlight Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Spotlight may save unexpected information to an external hard drive Description: An issue existed in Spotlight where memory contents may have been written to external hard drives when indexing. This issue was addressed with better memory management. CVE-ID CVE-2014-8832 : F-Secure SpotlightIndex Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Spotlight may display results for files not belonging to the user Description: A deserialization issue existed in Spotlight's handling of permission caches. A user performing a Spotlight query may have been shown search results referencing files for which they don't have sufficient privileges to read. This issue was addressed with improved bounds checking. CVE-ID CVE-2014-8833 : David J Peacock, Independent Technology Consultant sysmond Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with root privileges Description: A type confusion vulnerability existed in sysmond that allowed a local application to escalate privileges. The issue was addressed with improved type checking. CVE-ID CVE-2014-8835 : Ian Beer of Google Project Zero UserAccountUpdater Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Printing-related preference files may contain sensitive information about PDF documents Description: OS X Yosemite v10.10 addressed an issue in the handling of password-protected PDF files created from the Print dialog where passwords may have been included in printing preference files. This update removes such extraneous information that may have been present in printing preference files. CVE-ID CVE-2014-8834 : Apple Note: OS X Yosemite 10.10.2 includes the security content of Safari 8.0.3. For further details see https://support.apple.com/kb/HT204243 OS X Yosemite 10.10.2 and Security Update 2015-001 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iQIcBAEBAgAGBQJUx8ufAAoJEBcWfLTuOo7tWecQAIFvaOlK0Ar2vbUaH0TIpO9F N9SbkWmdNHDNUvc3LJOaeVfAFlXPbgHYqXGIC0kZiRL5Kyhy/K2hH29iNoIDqfET D1jPWOaAFhzvohViYl12ne/A7bBs5v+3G6gqmGCDCqGyn5VFdUMmS0/ZJSCUkPQG LqTvj5D4ulYl8I5uA9Ur9jD2j/TkSCOWiSTO5diMlt1WcKb1fn5pl9b0YNweI8UX FcZPrIlVNeaSywuitdxZEcWOhsJYbS6Xw13crS/HNJGEO+5N7keCnCJiN9HW4Pt6 8iNAgkSWX6S8nP6mq3tiKJmvh6Qj88tvSLgotc79+C8djvkwkxr3611sSLRUStI/ qmwDeJS+rvNgFiLbcJjDDH1EC3qBqMb5mIsMtnXKDDMS8mNeJHaQFngK2YacFLuW gzAMZIcEhLpWq46rYHBsPsB1iG1shyxxz1zL+JKNAi1aTtfFrP3aItQBUG5T345V 0oJol8oxzen9KLNYJMvE9CTJlrRr204DoQkmhY2dUP2W1EQoEGw2qzy/zBIq0yFA 0FNVcSXE+T4yCyHRGakK/sccw6lyCP0xS/lgaPlkyHsFT3oalu9yyqNtDCJl/Cns sAa5dw0tlb8/zWQ3fsJna2yrw5xSboA5KWegtrjtjodrz8O1MjRrTPgx8AnLjKzq nggZl3Sa+QhfaHSUqSJI =uAqk -----END PGP SIGNATURE----- . Relevant releases/architectures: RHOSE Node 2.1 - noarch 3. Description: OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. 5 client) - i386, x86_64 3. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201411-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Asterisk: Multiple Vulnerabilities Date: November 23, 2014 Bugs: #523216, #526208 ID: 201411-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Asterisk, the worst of which could lead to Denial of Service. Background ========== Asterisk is an open source telephony engine and toolkit. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/asterisk < 11.13.1 >= 11.13.1 Description =========== Multiple unspecified vulnerabilities have been discovered in Asterisk. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could exploit the vulnerabilities to cause a man in the middle attack or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Asterisk users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/asterisk-11.13.1" References ========== [ 1 ] CVE-2014-3566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3566 [ 2 ] CVE-2014-6610 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6610 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201411-10.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . These issues were addressed by switching from YAML to JSON as Profile Manager's internal serialization format. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling SSL 3.0 support in Web Server, Calendar & Contacts Server, and Remote Administration. CVE-ID CVE-2013-6393 OS X Server v4.0 may be obtained from the Mac App Store. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04597376 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04597376 Version: 1 HPSBMU03294 rev.1 - HP Process Automation running OpenSSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-03-26 Last Updated: 2015-03-26 Potential Security Impact: Remote Denial of Service (DoS), code execution, disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Process Automation running OpenSSL. This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" also known as "POODLE", which could be exploited remotely resulting in disclosure of information. References: CVE-2014-3566 (SSRT101795) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Process Automation v7.5.1 and earlier. NOTE: Impacted versions also include versions formerly known as Autonomy Process Automation and Cardiff LiquidOffice. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-3566 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following release of HP Process Automation which includes updates to avoid the vulnerability. HP Process Automation v7.5.2 HP has provided the following procedure to avoid the vulnerability in earlier versions of HP Process Automation. A standard HP Process Automation installation with HTTPS enabled has SSL 3.0 enabled by default and could be vulnerable to the POODLE attack. This assumes that a standard installation has been performed using the installer/configurator without manual edits or other servers involved (e.g. a front-end Web server), and that HTTPS is enabled. The recommended workaround is to disable the SSL 3.0 protocol in the HP Process Automation server. The following procedure can be used to disable SSL 3.0 on the HP Process Automation server and leave only TLS enabled for HTTPS connections. Edit the file "PA_INSTALL_PATH/xmlbase/conf/server.xml" as follows: a. Find the <Connector> tag for HTTPS. NOTE: The entry that is NOT commented out. Add the following attribute to that tag based on the version of HP Process Automation: PA v7.4.1 and earlier: sslProtocols="TLSv1,TLSv1.1,TLSv1.2" PA v7.5 and 7.5.1: sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 2. After editing, the <Connector> tag should look similar to the following example: <Connector port="443" protocol="HTTP/1.1" URIEncoding="UTF-8" SSLEnabled="true" minSpareThreads="25" maxThreads="150" tcpNoDelay="true" enableLookups="false" acceptCount="300" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" disableUploadTimeout="true" keystoreFile="..." keystorePass="..." redirectPort="443" /> HISTORY Version:1 (rev.1) - 26 March 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

overflow, arbitrary, code execution, info disclosure

EXPLOIT AVAILABILITY

EXTERNAL IDS

REFERENCES