SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Red Hat JBoss Vendors:   Red Hat
(Red Hat Issues Fix for JBoss) OpenSSL Flaws Let Remote Users Deny Service and Decrypt TLS Sessions in Certain Cases
SecurityTracker Alert ID:  1036465
SecurityTracker URL:  http://securitytracker.com/id/1036465
CVE Reference:   CVE-2016-0800   (Links to External Site)
Date:  Jul 27 2016
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in OpenSSL. A remote user can decrypt TLS sessions in certain cases. A remote user can cause denial of service conditions on the target system. JBoss is affected.

A remote user can decrypt TLS sessions in certain cases by using a server that supports SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle [CVE-2016-0800]. This attack is known as a DROWN attack.

Systems with a private key used on another server for any protocol that allows SSLv2 connections are affected.

Systems running versions prior to 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf (released on March 19, 2015) can be exploited more readily.

The original advisory is available at:

https://drownattack.com/drown-attack-paper.pdf

Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Kasper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt reported this vulnerability.

A remote user can create a specially crafted private DSA key that, when processed by OpenSSL, will trigger a double free memory error and cause denial of service conditions [CVE-2016-0705].

Adam Langley (Google/BoringSSL) reported this vulnerability.

A remote user can supply a specially crafted username value to the target SRP server to trigger a memory leak [CVE-2016-0798].

Emilia Kasper of the OpenSSL development team reported this vulnerability.

A user can create specially crafted data (e.g., configuration file) that, when processed by OpenSSL, will trigger a null pointer dereference in the BN_hex2bn/BN_dec2bn() functions [CVE-2016-0797].

Guido Vranken reported this vulnerability.

A user can create specially crafted data that, when processed by OpenSSL, will trigger a memory error in BIO_*printf() functions [CVE-2016-0799].

Guido Vranken reported this vulnerability.

A local user can conduct a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture to potentially recover RSA keys [CVE-2016-0702].

Yuval Yarom, the University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and Nadia Heninger, University of Pennsylvania, reported this vulnerability.

The SSLv2 's2_srvr.c' code does not ensure that a clear-key-length value is 0 for non-export ciphers. As a result, clear-key bytes can displace encrypted-key bytes, which can be exploited to conduct a key recovery attack [CVE-2016-0703].

Versions 1.0.2, 1.0.1l, 1.0.0q, and 0.9.8ze and prior versions are affected.

David Adrian and J. Alex Halderman of the University of Michigan reported this vulnerability.

The Bleichenbacher protection for export cipher suites in 's2_srvr.c' overwrites bytes incorrectly in the master-key, which may provide a Bleichenbacher oracle that can be used to decrypt sessions [CVE-2016-0704].

Versions 1.0.2, 1.0.1l, 1.0.0q, and 0.9.8ze and all prior versions are affected.

David Adrian and J. Alex Halderman of the University of Michigan reported this vulnerability.

A remote user can trigger an out-of-bounds memory write error in doapr_outch() in 'crypto/bio/b_print.c' to potentially execute arbitrary code on the target system [CVE-2016-2842].

Guido Vranken reported this vulnerability.

Impact:   A remote user can decrypt TLS sessions in certain cases.

A remote user can cause denial of service conditions.

A remote user can execute arbitrary code on the target system.

Solution:   Red Hat has issued a fix for CVE-2016-0800 for JBoss.

The Red Hat advisory is available at:

https://rhn.redhat.com/errata/RHSA-2016-1519.html

Vendor URL:  rhn.redhat.com/errata/RHSA-2016-1519.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Enterprise)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 1 2016 OpenSSL Flaws Let Remote Users Deny Service and Decrypt TLS Sessions in Certain Cases



 Source Message Contents

Subject:  [RHSA-2016:1519-01] Critical: Red Hat JBoss Operations Network 3.3.6 update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: Red Hat JBoss Operations Network 3.3.6 update
Advisory ID:       RHSA-2016:1519-01
Product:           Red Hat JBoss Operations Network
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-1519.html
Issue date:        2016-07-27
CVE Names:         CVE-2015-5220 CVE-2016-0800 CVE-2016-3737 
=====================================================================

1. Summary:

Red Hat JBoss Operations Network 3.3 update 6, which fixes two security
issues and several bugs, is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Description:

Red Hat JBoss Operations Network is a Middleware management solution that
provides a single point of control to deploy, manage, and monitor JBoss
Enterprise Middleware, applications, and services.

This JBoss Operations Network 3.3.6 release serves as a replacement for
JBoss Operations Network 3.3.5, and includes several bug fixes. Refer to
the Customer Portal page linked in the References section for information
on the most significant of these changes.

The following security issues are also fixed with this release:

It was discovered that sending specially crafted HTTP request to the JON
server would allow deserialization of that message without authentication.
An attacker could use this flaw to cause remote code execution.
(CVE-2016-3737)

It was discovered that sending requests containing large headers to the Web
Console produced a Java OutOfMemoryError in the HTTP management interface.
An attacker could use this flaw to cause a denial of service.
(CVE-2015-5220)

A padding oracle flaw was found in the Secure Sockets Layer version 2.0
(SSLv2) protocol. An attacker could potentially use this flaw to decrypt
RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol
version, allowing them to decrypt such connections. This cross-protocol
attack is publicly referred to as DROWN. (CVE-2016-0800)

All users of JBoss Operations Network 3.3.5, as provided from the Red Hat
Customer Portal, are advised to upgrade to JBoss Operations Network 3.3.6.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing JBoss Operations Network installation (including its databases,
applications, configuration files, the JBoss Operations Network server's
file system directory, and so on).

Refer to the JBoss Operations Network 3.3.6 Release Notes for
installation information.

4. Bugs fixed (https://bugzilla.redhat.com/):

1184000 - Bundles missing from the left list / bundle navigation tree
1186300 - java.lang.IllegalArgumentException:Invalid column widths (more widths than columns) [58%, *] error thrown in JBoss ON UI
1205429 - Platform's file system resources are blacklisted and all other child resources take 5 minutes to discover if NFS mount exists to host that is blocking RPC port
1206485 - JON favicon is not used
1207232 - Search bar placed over the main menu on navigating to Dashboards
1211341 - Browser session timeouts on pages where autorefresh is enabled
1212495 - Solaris10-Error in server log after Generate JDR Report operation
1213812 - After upgrade from JBoss ON 3.2 to 3.3, some rhq column families are unavailable and compaction operations fail
1218129 - Calltime metrics sort does not work properly
1232836 - NoResultException in server.log when deploying from resource content for war type != File (Deployment:AS7)
1253647 - jboss-on-agent-init-ec2 requires old package
1255597 - CVE-2015-5220 OOME from EAP 6 http management console
1257741 - First attempt of saving SNMP alert configurations is failed if UDP transport protocol is used
1261890 - Metrics are not properly updated/refreshed in JON UI
1264001 - JON UI fails to load metrics with the message "Cannot load metrics" while plugin container is restarting
1266356 - Commons HttpClient can hang during SSLHandshake
1268329 - The same user is able to upload bundle via 'Upload' but not via 'URL'
1272358 - When creating a big bundle via UI the wizard shows errors if user clicks Next button multiple times
1272473 - Confusing error shown in UI wizard when creating big bundle on oracle and hitting ORA-01691: unable to extend lob segment
1288455 - The data aggregation job in JBoss ON stopped due to unreachable storage node
1290436 - Invalid properties PARTITION_EVENT_PURGE and RESOURCE_CONFIG_HISTORY_PURGE appear on system setting page and prevent config from being saved
1295863 - The number of resources in All Groups/Compatible Groups page is not correct all the time
1297702 - Deletion of partition events in JBoss ON results in OutOfMemoryError when there is a million or more partition events to be deleted
1298144 - Missing "Event Detection" option from the drop down list when trying to create an alert using alert template
1299448 - Storage node heap size cannot be changed using JBoss ON UI
1301575 - apply-updates.bat in jon-server-3.3-update-04.zip only works reliably in the USA
1302322 - Secure server-agent communication using sslsocket incorrectly requires a truststore password
1306231 - Method SystemManager.setSystemSettings(settings) does not propagate LDAP changes into the RHQ Server's JAAS login modules
1306602 - Uninventory of resource leaves orphaned content data in the database
1308947 - Group Operation sequential execution list limited to 50 members
1309481 - Remote API is missing ability to retrieve and revert historic plug-in and resource configuration
1310593 - CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
1311140 - EAP7 - missing rt filter modules for eap7
1312847 - Report "Suspect Metrics" is empty for user in "All Resources" role
1317993 - Application fails to deploy on EAP7 when the rt filter is installed
1320478 - NPE in server.log Error persisting trait data
1323325 - rhqctl status can report storage node as ?running or ?down if locale does not support extended character sets
1324828 - pretty.print(null) fails
1328316 - Required fields in map-property does not prevent finishing the Resource Create Wizard
1333618 - CVE-2016-3737 JON: The agent/server communication deserializes data, and does not require authentication
1339301 - REST fetch of groups doesn't scale

5. References:

https://access.redhat.com/security/cve/CVE-2015-5220
https://access.redhat.com/security/cve/CVE-2016-0800
https://access.redhat.com/security/cve/CVE-2016-3737
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFXmNN3XlSAg2UNWIIRAgTIAJ4l+jjDlbp3HJRkfP84ZKgSptPR4QCguAnn
Dq9UQGPLwe2Pp2G8pyn28P4=
=5qRr
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC