Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Solaris 10 x86 OpenSSL patch/package to address vulnerabilities

Posted on 2015-02-23
7
Medium Priority
?
862 Views
Last Modified: 2015-03-11
There's been quite a number of OpenSSL vulnerabilities lately & even SSLv3 is now vulnerable;
I guess only TLS of a certain ciphers is now non-vulnerable (perhaps shd be called OpenTLS?)

Q1:
What's the latest patch/package for Solaris 10 (for x86) that is non-vulnerable?

Q2:
Kindly provide the Oracle link to download it as well as all pre-requisite packages.   I have
subscription to Oracle but last login to sunsolve a couple of years before Oracle acquired
Sun, so I've lost touch.

Q3:
Do provide brief Solaris commands (I last recall it's something like 'pkgadd -d ./...'  or 'patchadd ..."
to install the pre-requisite packages & this non-vulnerable OpenSSL

Q4:
I guess OpenSSL is only used in web servers, so how do I verify it has taken effect (ie using TLS
& not SSL) & if breaks anything?  If I could browse the webpage & load certain apps, is this good
enough?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 62

Assisted Solution

by:gheist
gheist earned 480 total points
ID: 40626532
Q1: what CVE numbers you refer to? it ships with such an old version of OpenSSL that is not affected by Heartbleed, and is not fixable against Poodle.
Q2: Kindly use your subscription to find links, as tjhey all are now fingerprinted
Q3: You can use graphical updater.
Q4: You are mistaken. Absolutely
0
 

Author Comment

by:sunhux
ID: 40627329
If there's no patch for Poodle (or any of the OpenSSL vulnerabilities), I'm
looking for workarounds such as what's listed on
  https://support.oracle.com/epmos/faces/DocumentDisplay?id=1935621.1&_adf.ctrl-state=16z63srznx_859&_afrLoop=250521592555892

Eg, for Apache 2.x (I guess it's applicable to Oracle Web servers as well or is it? ) :
Make the following changes in the configuration file.

--- /etc/apache2/ssl.conf.orig  Wed Oct 15 21:24:24 2014
+++ /etc/apache2/ssl.conf       Wed Oct 15 21:23:45 2014
@@ -102,6 +102,8 @@
# packages from the Solaris 10 Data Encryption Kit.
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

+SSLProtocol All -SSLv2 -SSLv3
+
#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a

Once this change is done restart Apache HTTPD service.  Apache httpd 2.x is managed by SMF, so the following commands can be used:
svcadm restart svc:/network/http:apache2
To verify whether SSLv3 is disabled on your server you can use following command:
openssl s_client -connect <server>:<port> -ssl3
You should see handshake failure if SSLv3 is disabled.

Any idea how we can fix it for say Glassfish or common Solaris apps
that uses OpenSSL?
Eg, for Python, we wud do:
Instead of using any of:

PROTOCOL_SSLv2
PROTOCOL_SSLv3
PROTOCOL_SSLv23

Use:
PROTOCOL_TLSv1
0
 
LVL 62

Expert Comment

by:gheist
ID: 40627508
So disable SSLv3
You dont need any software patching after.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:sunhux
ID: 40627711
Well, our Solaris x86 VMs has the following packages:

# pkginfo |grep -i openssl
system      SUNWopenssl-commands             OpenSSL Commands (Usr)
system      SUNWopenssl-include              OpenSSL Header Files
system      SUNWopenssl-libraries            OpenSSL Libraries (Usr)
system      SUNWopenssl-man                  OpenSSL Manual Pages
system      SUNWopensslr                     OpenSSL (Root)

Assuming they're of older versions, where do I get the newer non-
vulnerable packages?
0
 

Author Comment

by:sunhux
ID: 40627721
I recall seeing somewhere there's ways to disable SSLv2 & SSLv3 at
Windows & Linux OS level but can't locate the link/url currently.

Is there anything similar for Solaris 10  x86 ?


One related query on OpenSSL:
HP told us their HPSA (HP Server Automation) is not vulnerable even though
our VA scanner reported it's vulnerable : HP said as long as SSLv2 / v3 are
disabled at OS level, what the VA scanner reports is false positive.  Any truth?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 480 total points
ID: 40627823
Probably scanner checks openssl package version.
While poodle is theoretical danger
Heartbleed is clear and present danger in any unpatched openssl 1.0.1 (and not older versions)
0
 
LVL 64

Accepted Solution

by:
btan earned 1520 total points
ID: 40636621
A1: Latest patch for Solaris should be referenced to Oracle site (Jan15 if I recalled correctly), for the latest SSL related patch pls see A2
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

A2: Oracle addressing SSLv3 vulnerability primarily looking at Poodle, they advice to disable SSL 3.0 in all Oracle products that support this protocol.
http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
You should still be able to create free account - it gives you access to a variety of online services, applications, and communities https://profile.oracle.com/myprofile/account/create-account.jspx

Kindly provide the Oracle link to download it as well as all pre-requisite packages.   I have
subscription to Oracle but last login to sunsolve a couple of years before Oracle acquired
Sun, so I've lost touch.

A3: Better to get official patch (have an account) to address the CVE, and also if you installed JRE and JDK, also need to disable JRE and JDK in Oracle Solaris too. (developer based though) http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

A4: primarily it is Apache HTTPD, you do not control client but minimally web server shd disable SSLv3 and below.
http://sunadmintips.blogspot.sg/2012/10/disable-weak-ssl-ciphers-httpd-apache.html
Best to check if there are any other web server installed e.g.ngix installed by user in this case and with openssl.
http://wiki.nginx.org/Installing_on_Solaris_10_u5

As a whole, Openssl should be in S10 - https://blogs.oracle.com/janp/entry/on_openssl_versions_in_solaris

But overall, if we can find openssl in the platform, we shd do the disabling also - you may be interested in this project (PCA - Patch Check Advanced) http://www.par.univie.ac.at/solaris/pca/usage.html
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question