[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 950
  • Last Modified:

Solaris 10 x86 OpenSSL patch/package to address vulnerabilities

There's been quite a number of OpenSSL vulnerabilities lately & even SSLv3 is now vulnerable;
I guess only TLS of a certain ciphers is now non-vulnerable (perhaps shd be called OpenTLS?)

Q1:
What's the latest patch/package for Solaris 10 (for x86) that is non-vulnerable?

Q2:
Kindly provide the Oracle link to download it as well as all pre-requisite packages.   I have
subscription to Oracle but last login to sunsolve a couple of years before Oracle acquired
Sun, so I've lost touch.

Q3:
Do provide brief Solaris commands (I last recall it's something like 'pkgadd -d ./...'  or 'patchadd ..."
to install the pre-requisite packages & this non-vulnerable OpenSSL

Q4:
I guess OpenSSL is only used in web servers, so how do I verify it has taken effect (ie using TLS
& not SSL) & if breaks anything?  If I could browse the webpage & load certain apps, is this good
enough?
0
sunhux
Asked:
sunhux
  • 3
  • 3
3 Solutions
 
gheistCommented:
Q1: what CVE numbers you refer to? it ships with such an old version of OpenSSL that is not affected by Heartbleed, and is not fixable against Poodle.
Q2: Kindly use your subscription to find links, as tjhey all are now fingerprinted
Q3: You can use graphical updater.
Q4: You are mistaken. Absolutely
0
 
sunhuxAuthor Commented:
If there's no patch for Poodle (or any of the OpenSSL vulnerabilities), I'm
looking for workarounds such as what's listed on
  https://support.oracle.com/epmos/faces/DocumentDisplay?id=1935621.1&_adf.ctrl-state=16z63srznx_859&_afrLoop=250521592555892

Eg, for Apache 2.x (I guess it's applicable to Oracle Web servers as well or is it? ) :
Make the following changes in the configuration file.

--- /etc/apache2/ssl.conf.orig  Wed Oct 15 21:24:24 2014
+++ /etc/apache2/ssl.conf       Wed Oct 15 21:23:45 2014
@@ -102,6 +102,8 @@
# packages from the Solaris 10 Data Encryption Kit.
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

+SSLProtocol All -SSLv2 -SSLv3
+
#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a

Once this change is done restart Apache HTTPD service.  Apache httpd 2.x is managed by SMF, so the following commands can be used:
svcadm restart svc:/network/http:apache2
To verify whether SSLv3 is disabled on your server you can use following command:
openssl s_client -connect <server>:<port> -ssl3
You should see handshake failure if SSLv3 is disabled.

Any idea how we can fix it for say Glassfish or common Solaris apps
that uses OpenSSL?
Eg, for Python, we wud do:
Instead of using any of:

PROTOCOL_SSLv2
PROTOCOL_SSLv3
PROTOCOL_SSLv23

Use:
PROTOCOL_TLSv1
0
 
gheistCommented:
So disable SSLv3
You dont need any software patching after.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
sunhuxAuthor Commented:
Well, our Solaris x86 VMs has the following packages:

# pkginfo |grep -i openssl
system      SUNWopenssl-commands             OpenSSL Commands (Usr)
system      SUNWopenssl-include              OpenSSL Header Files
system      SUNWopenssl-libraries            OpenSSL Libraries (Usr)
system      SUNWopenssl-man                  OpenSSL Manual Pages
system      SUNWopensslr                     OpenSSL (Root)

Assuming they're of older versions, where do I get the newer non-
vulnerable packages?
0
 
sunhuxAuthor Commented:
I recall seeing somewhere there's ways to disable SSLv2 & SSLv3 at
Windows & Linux OS level but can't locate the link/url currently.

Is there anything similar for Solaris 10  x86 ?


One related query on OpenSSL:
HP told us their HPSA (HP Server Automation) is not vulnerable even though
our VA scanner reported it's vulnerable : HP said as long as SSLv2 / v3 are
disabled at OS level, what the VA scanner reports is false positive.  Any truth?
0
 
gheistCommented:
Probably scanner checks openssl package version.
While poodle is theoretical danger
Heartbleed is clear and present danger in any unpatched openssl 1.0.1 (and not older versions)
0
 
btanExec ConsultantCommented:
A1: Latest patch for Solaris should be referenced to Oracle site (Jan15 if I recalled correctly), for the latest SSL related patch pls see A2
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

A2: Oracle addressing SSLv3 vulnerability primarily looking at Poodle, they advice to disable SSL 3.0 in all Oracle products that support this protocol.
http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
You should still be able to create free account - it gives you access to a variety of online services, applications, and communities https://profile.oracle.com/myprofile/account/create-account.jspx

Kindly provide the Oracle link to download it as well as all pre-requisite packages.   I have
subscription to Oracle but last login to sunsolve a couple of years before Oracle acquired
Sun, so I've lost touch.

A3: Better to get official patch (have an account) to address the CVE, and also if you installed JRE and JDK, also need to disable JRE and JDK in Oracle Solaris too. (developer based though) http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

A4: primarily it is Apache HTTPD, you do not control client but minimally web server shd disable SSLv3 and below.
http://sunadmintips.blogspot.sg/2012/10/disable-weak-ssl-ciphers-httpd-apache.html
Best to check if there are any other web server installed e.g.ngix installed by user in this case and with openssl.
http://wiki.nginx.org/Installing_on_Solaris_10_u5

As a whole, Openssl should be in S10 - https://blogs.oracle.com/janp/entry/on_openssl_versions_in_solaris

But overall, if we can find openssl in the platform, we shd do the disabling also - you may be interested in this project (PCA - Patch Check Advanced) http://www.par.univie.ac.at/solaris/pca/usage.html
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now