ID

VAR-201410-1418

CVE

CVE-2014-3566

TITLE

HP Security Bulletin HPSBST03265

DESCRIPTION

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. SSL protocol is the abbreviation of Secure Socket Layer protocol (Secure Socket Layer) developed by Netscape, which provides security and data integrity guarantee for Internet communication. There is a security vulnerability in the SSL protocol 3.0 version used in OpenSSL 1.0.1i and earlier versions. The vulnerability is caused by the program's use of non-deterministic CBC padding. Attackers can use padding-oracle attacks to exploit this vulnerability to implement man-in-the-middle attacks and obtain plaintext data. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-oracle security update Advisory ID: RHSA-2015:0079-01 Product: Oracle Java for Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0079.html Issue date: 2015-01-22 CVE Names: CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395 CVE-2015-0403 CVE-2015-0406 CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412 CVE-2015-0413 ===================================================================== 1. Summary: Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. 2. Relevant releases/architectures: Oracle Java for Red Hat Enterprise Linux Client (v. 7) - x86_64 Oracle Java for Red Hat Enterprise Linux Client 5 - i386, x86_64 Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7) - x86_64 Oracle Java for Red Hat Enterprise Linux Desktop 5 - i386, x86_64 Oracle Java for Red Hat Enterprise Linux Desktop 6 - i386, x86_64 Oracle Java for Red Hat Enterprise Linux HPC Node 6 - i386, x86_64 Oracle Java for Red Hat Enterprise Linux Server (v. 7) - x86_64 Oracle Java for Red Hat Enterprise Linux Server 6 - i386, x86_64 Oracle Java for Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Oracle Java for Red Hat Enterprise Linux Workstation 6 - i386, x86_64 3. Description: Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2014-3566, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412, CVE-2015-0413) The CVE-2015-0383 issue was discovered by Red Hat. Note: With this update, the Oracle Java SE now disables the SSL 3.0 protocol to address the CVE-2014-3566 issue (also known as POODLE). Refer to the Red Hat Bugzilla bug linked to in the References section for instructions on how to re-enable SSL 3.0 support if needed. All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 75 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1123870 - CVE-2015-0383 OpenJDK: insecure hsperfdata temporary file handling (Hotspot, 8050807) 1152789 - CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack 1183020 - CVE-2014-6601 OpenJDK: class verifier insufficient invokespecial calls verification (Hotspot, 8058982) 1183021 - CVE-2015-0412 OpenJDK: insufficient code privileges checks (JAX-WS, 8054367) 1183023 - CVE-2015-0408 OpenJDK: incorrect context class loader use in RMI transport (RMI, 8055309) 1183031 - CVE-2015-0395 OpenJDK: phantom references handling issue in garbage collector (Hotspot, 8047125) 1183043 - CVE-2015-0407 OpenJDK: directory information leak via file chooser (Swing, 8055304) 1183044 - CVE-2015-0410 OpenJDK: DER decoder infinite loop (Security, 8059485) 1183049 - CVE-2014-6593 OpenJDK: incorrect tracking of ChangeCipherSpec during SSL/TLS handshake (JSSE, 8057555) 1183645 - CVE-2014-6585 ICU: font parsing OOB read (OpenJDK 2D, 8055489) 1183646 - CVE-2014-6591 ICU: font parsing OOB read (OpenJDK 2D, 8056276) 1183715 - CVE-2014-6587 OpenJDK: MulticastSocket NULL pointer dereference (Libraries, 8056264) 1184275 - CVE-2015-0403 Oracle JDK: unspecified vulnerability fixed in 6u91, 7u75 and 8u31 (Deployment) 1184277 - CVE-2015-0406 Oracle JDK: unspecified vulnerability fixed in 6u91, 7u75 and 8u31 (Deployment) 1184278 - CVE-2015-0413 Oracle JDK: unspecified vulnerability fixed in 7u75 and 8u31 (Serviceability) 6. Package List: Oracle Java for Red Hat Enterprise Linux Client 5: i386: java-1.7.0-oracle-1.7.0.75-1jpp.1.el5_11.i586.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el5_11.i586.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el5_11.i586.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el5_11.i586.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el5_11.i586.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el5_11.i586.rpm x86_64: java-1.7.0-oracle-1.7.0.75-1jpp.1.el5_11.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el5_11.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el5_11.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el5_11.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el5_11.x86_64.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el5_11.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Desktop 5: i386: java-1.7.0-oracle-1.7.0.75-1jpp.1.el5_11.i586.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el5_11.i586.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el5_11.i586.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el5_11.i586.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el5_11.i586.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el5_11.i586.rpm x86_64: java-1.7.0-oracle-1.7.0.75-1jpp.1.el5_11.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el5_11.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el5_11.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el5_11.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el5_11.x86_64.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el5_11.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Desktop 6: i386: java-1.7.0-oracle-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el6.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el6.x86_64.rpm Oracle Java for Red Hat Enterprise Linux HPC Node 6: i386: java-1.7.0-oracle-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el6.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el6.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Server 6: i386: java-1.7.0-oracle-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el6.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el6.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Workstation 6: i386: java-1.7.0-oracle-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el6.i686.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el6.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el6.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Client (v. 7): Source: java-1.7.0-oracle-1.7.0.75-1jpp.2.el7.src.rpm x86_64: java-1.7.0-oracle-1.7.0.75-1jpp.2.el7.i686.rpm java-1.7.0-oracle-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.2.el7.i686.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.2.el7.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7): Source: java-1.7.0-oracle-1.7.0.75-1jpp.2.el7.src.rpm x86_64: java-1.7.0-oracle-1.7.0.75-1jpp.2.el7.i686.rpm java-1.7.0-oracle-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.2.el7.i686.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.2.el7.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Server (v. 7): Source: java-1.7.0-oracle-1.7.0.75-1jpp.2.el7.src.rpm x86_64: java-1.7.0-oracle-1.7.0.75-1jpp.2.el7.i686.rpm java-1.7.0-oracle-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.2.el7.i686.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.2.el7.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Workstation (v. 7): Source: java-1.7.0-oracle-1.7.0.75-1jpp.2.el7.src.rpm x86_64: java-1.7.0-oracle-1.7.0.75-1jpp.2.el7.i686.rpm java-1.7.0-oracle-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.2.el7.i686.rpm java-1.7.0-oracle-devel-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.75-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-src-1.7.0.75-1jpp.2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-3566 https://access.redhat.com/security/cve/CVE-2014-6585 https://access.redhat.com/security/cve/CVE-2014-6587 https://access.redhat.com/security/cve/CVE-2014-6591 https://access.redhat.com/security/cve/CVE-2014-6593 https://access.redhat.com/security/cve/CVE-2014-6601 https://access.redhat.com/security/cve/CVE-2015-0383 https://access.redhat.com/security/cve/CVE-2015-0395 https://access.redhat.com/security/cve/CVE-2015-0403 https://access.redhat.com/security/cve/CVE-2015-0406 https://access.redhat.com/security/cve/CVE-2015-0407 https://access.redhat.com/security/cve/CVE-2015-0408 https://access.redhat.com/security/cve/CVE-2015-0410 https://access.redhat.com/security/cve/CVE-2015-0412 https://access.redhat.com/security/cve/CVE-2015-0413 https://access.redhat.com/security/updates/classification/#critical http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixJAVA https://bugzilla.redhat.com/show_bug.cgi?id=1152789#c82 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04762334 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04762334 Version: 1 HPSBGN03391 rev.1 - HP Universal CMDB Foundation, Discovery, Configuration Manager, and CMDB Browser running OpenSSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-09-21 Last Updated: 2015-09-21 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Universal CMDB Foundation, HP Universal Discovery, HP Universal CMDB Configuration Manager, and HP Universal CMDB Browser. This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "POODLE", which could be exploited remotely to allow disclosure of information. References: CVE-2014-3566 (POODLE) SSRT102186 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Universal CMDB Foundation v10.0, v10.01, v10.10, v10.11. HP Universal Discovery v10.01, v10.10x, v10.11, v10.20. HP Universal CMDB Configuration Manager - all supported versions. HP Universal CMDB Browser - all supported versions. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-3566 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following instructions available to resolve the vulnerability in HP Universal CMDB Foundation, HP Universal Discovery, HP Universal CMDB Configuration Manager, and HP Universal CMDB Browser. Product: HP Universal CMDB Foundation Affected Version Platform / Required Patch Level Information HP Universal CMDB Foundation v10.0 and v10.01 UCMDB 10.01CUP11 Windows https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse arch/document/LID/UCMDB_00152?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE Linux https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse arch/document/LID/UCMDB_00153?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse arch/document/KM01819922?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE HP Universal CMDB Foundation v10.10 and v10.11 UCMDB 10.11CUP3 Windows https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse arch/document/LID/UCMDB_00154?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE Linux https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse arch/document/LID/UCMDB_00155?lang=iw&cc=il&hpappid=113963_OSP_PRO_HPE https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse arch/document/KM01819922?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE Product: HP Universal Discovery Affected Version Required Patch Level Information HP Universal Discovery v10.0 and v10.01 CP12 update15: https://hpln.hp.com/node/11274/contentfiles/?dir=25775 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse arch/document/KM01821139?lang=iw&cc=il&hpappid=113963_OSP_PRO_HPE HP Universal Discovery v10.10 and v10.11 CP14 update 5: https://hpln.hp.com/node/11274/contentfiles/?dir=25186 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse arch/document/KM01821139?lang=iw&cc=il&hpappid=113963_OSP_PRO_HPE HP Universal Discovery 10.20 CP15 update 2: https://hpln.hp.com/node/11274/contentfiles/?dir=24690 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse arch/document/KM01821139?lang=iw&cc=il&hpappid=113963_OSP_PRO_HPE Product: HP Universal CMDB Configuration Manager Affected Version Required Patch level Information HP Universal CMDB Configuration Manager - all supported versions Configuration change as documented in the information section https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse arch/document/KM01821174?lang=iw&cc=il&hpappid=113963_OSP_PRO_HPE Product: HP Universal CMDB Browser Affected Version Required Patch level Information HP Universal CMDB Browser - all supported versions Configuration change as documented in the information section https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04507636 HISTORY Version:1 (rev.1) - 21 September 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2015-043: RSA\xae Validation Manager Security Update for Multiple Vulnerabilities EMC Identifier: ESA-2015-043 CVE Identifier: CVE-2014-3566, CVE-2014-0098, CVE-2014-0231, CVE-2014-0226, CVE-2013-1862, CVE-2012-3499, CVE-2015-0526, CVE-2013-2566 Severity Rating: CVSSv2 Base Score: See below for details Affected Products: RSA Validation Manager 3.2 prior to Build 201 Unaffected Products: RSA Validation Manager 3.2 Build 201 or above Summary: RSA Validation Manager (RVM) requires a security update to address potential multiple vulnerabilities. See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 for more details. CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2014-0098: The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation. See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0098 for more details. CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2014-0231: The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor. See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0231 CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2014-0226: Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c. See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226for more details. CVSSv2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2013-1862: mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator. See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1862 for more details. CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) CVE-2012-3499: Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3499 for more details. CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2013-2566: The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 for more details. CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Reflected Cross-Site Scripting Vulnerability (CVE-2015-0526): A cross-site scripting vulnerability affecting the displayMode and wrapPreDisplayMode parameter could potentially be exploited by an attacker to execute arbitrary HTML and script code in RVM user\x92s browser session. CVSSv2 Base Score:7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) For more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned here, consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm. To search for a particular CVE, use the database\x92s search utility at http://web.nvd.nist.gov/view/vuln/search. Recommendation: The following RVM release contains the resolution to these issues: RSA Validation Manager 3.2 Build 201 or later RSA recommends all customers upgrade to the version mentioned above at the earliest opportunity. Credit: RSA would like to thank Ken Cijsouw (ken.cijsouw@sincerus.nl) for reporting CVE-2015-0526. Obtaining Downloads: To obtain the latest RSA product downloads, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose download you want to obtain. Scroll to the section for the product download that you want and click on the link. Obtaining Documentation: To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link. Severity Rating: For an explanation of Severity Ratings, refer to the Knowledge Base Article, \x93Security Advisories Severity Rating\x94 at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Obtaining More Information: For more information about RSA products, visit the RSA web site at http://www.rsa.com. Getting Support and Service: For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab. General Customer Support Information: http://www.emc.com/support/rsa/index.htm RSA SecurCare Online: https://knowledge.rsasecurity.com EOPS Policy: RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. http://www.emc.com/support/rsa/eops/index.htm SecurCare Online Security Advisories RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. About RSA SecurCare Notes & Security Advisories Subscription RSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If you\x92d like to stop receiving RSA SecurCare Notes & Security Advisories, or if you\x92d like to change which RSA product family Notes & Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes & Security Advisories you no longer want to receive. Click the Submit button to save your selection. Sincerely, RSA Customer Support -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAlWALXgACgkQtjd2rKp+ALxPSwCfSnzb7SBzwIpgfPQoKsSrlbuy ipMAnA7F3OLvOOMH3yFsWhk3RcMQ23Av =XRnt -----END PGP SIGNATURE----- . For Debian 7 (wheezy) this update adds a missing part to make it actually possible to disable client-initiated renegotiation and disables it by default (CVE-2009-3555). TLS compression is disabled (CVE-2012-4929), although this is normally already disabled by the OpenSSL system library. Finally it adds the ability to disable the SSLv3 protocol (CVE-2014-3566) entirely via the new "DisableSSLv3" configuration directive, although it will not disabled by default in this update. Additionally a non-security sensitive issue in redirect encoding is addressed. For Debian 8 (jessie) these issues have been fixed prior to the release, with the exception of client-initiated renegotiation (CVE-2009-3555). This update addresses that issue for jessie. For the oldstable distribution (wheezy), these problems have been fixed in version 2.6-2+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 2.6-6+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 2.6-6.1. We recommend that you upgrade your pound packages. Open the /opt/sdn/virgo/configuration/tomcat-server.xml file for editing Change the following line from this: clientAuth="false" sslEnabledProtocols="TLSv1.0, TLSv1.1,TLSv1.2" to this: clientAuth="false" sslEnabledProtocols=" TLSv1.1,TLSv1.2" Restart the controller. ============================================================================ Ubuntu Security Notice USN-2487-1 January 28, 2015 openjdk-7 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.10 - Ubuntu 14.04 LTS Summary: Several security issues were fixed in OpenJDK 7. Software Description: - openjdk-7: Open Source Java implementation Details: Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2014-3566, CVE-2014-6587, CVE-2014-6601, CVE-2015-0395, CVE-2015-0408, CVE-2015-0412) Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2014-6585, CVE-2014-6591, CVE-2015-0400, CVE-2015-0407) A vulnerability was discovered in the OpenJDK JRE related to information disclosure and integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-6593) A vulnerability was discovered in the OpenJDK JRE related to integrity and availability. An attacker could exploit this to cause a denial of service. (CVE-2015-0383) A vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could this exploit to cause a denial of service. (CVE-2015-0410) A vulnerability was discovered in the OpenJDK JRE related to data integrity. (CVE-2015-0413) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.10: icedtea-7-jre-jamvm 7u75-2.5.4-1~utopic1 openjdk-7-jre 7u75-2.5.4-1~utopic1 openjdk-7-jre-headless 7u75-2.5.4-1~utopic1 openjdk-7-jre-lib 7u75-2.5.4-1~utopic1 openjdk-7-jre-zero 7u75-2.5.4-1~utopic1 openjdk-7-source 7u75-2.5.4-1~utopic1 Ubuntu 14.04 LTS: icedtea-7-jre-jamvm 7u75-2.5.4-1~trusty1 openjdk-7-jre 7u75-2.5.4-1~trusty1 openjdk-7-jre-headless 7u75-2.5.4-1~trusty1 openjdk-7-jre-lib 7u75-2.5.4-1~trusty1 openjdk-7-jre-zero 7u75-2.5.4-1~trusty1 openjdk-7-source 7u75-2.5.4-1~trusty1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes. This update contains a known regression in the Zero alternative Java Virtual Machine on PowerPC and a future update will correct this issue. We apologize for the inconvenience

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

arbitrary, info disclosure

EXPLOIT AVAILABILITY

EXTERNAL IDS

REFERENCES