Solved

Solaris 10 x86 OpenSSL patch/package to address vulnerabilities

Posted on 2015-02-23
7
689 Views
Last Modified: 2015-03-11
There's been quite a number of OpenSSL vulnerabilities lately & even SSLv3 is now vulnerable;
I guess only TLS of a certain ciphers is now non-vulnerable (perhaps shd be called OpenTLS?)

Q1:
What's the latest patch/package for Solaris 10 (for x86) that is non-vulnerable?

Q2:
Kindly provide the Oracle link to download it as well as all pre-requisite packages.   I have
subscription to Oracle but last login to sunsolve a couple of years before Oracle acquired
Sun, so I've lost touch.

Q3:
Do provide brief Solaris commands (I last recall it's something like 'pkgadd -d ./...'  or 'patchadd ..."
to install the pre-requisite packages & this non-vulnerable OpenSSL

Q4:
I guess OpenSSL is only used in web servers, so how do I verify it has taken effect (ie using TLS
& not SSL) & if breaks anything?  If I could browse the webpage & load certain apps, is this good
enough?
0
Comment
Question by:sunhux
  • 3
  • 3
7 Comments
 
LVL 62

Assisted Solution

by:gheist
gheist earned 120 total points
ID: 40626532
Q1: what CVE numbers you refer to? it ships with such an old version of OpenSSL that is not affected by Heartbleed, and is not fixable against Poodle.
Q2: Kindly use your subscription to find links, as tjhey all are now fingerprinted
Q3: You can use graphical updater.
Q4: You are mistaken. Absolutely
0
 

Author Comment

by:sunhux
ID: 40627329
If there's no patch for Poodle (or any of the OpenSSL vulnerabilities), I'm
looking for workarounds such as what's listed on
  https://support.oracle.com/epmos/faces/DocumentDisplay?id=1935621.1&_adf.ctrl-state=16z63srznx_859&_afrLoop=250521592555892

Eg, for Apache 2.x (I guess it's applicable to Oracle Web servers as well or is it? ) :
Make the following changes in the configuration file.

--- /etc/apache2/ssl.conf.orig  Wed Oct 15 21:24:24 2014
+++ /etc/apache2/ssl.conf       Wed Oct 15 21:23:45 2014
@@ -102,6 +102,8 @@
# packages from the Solaris 10 Data Encryption Kit.
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

+SSLProtocol All -SSLv2 -SSLv3
+
#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a

Once this change is done restart Apache HTTPD service.  Apache httpd 2.x is managed by SMF, so the following commands can be used:
svcadm restart svc:/network/http:apache2
To verify whether SSLv3 is disabled on your server you can use following command:
openssl s_client -connect <server>:<port> -ssl3
You should see handshake failure if SSLv3 is disabled.

Any idea how we can fix it for say Glassfish or common Solaris apps
that uses OpenSSL?
Eg, for Python, we wud do:
Instead of using any of:

PROTOCOL_SSLv2
PROTOCOL_SSLv3
PROTOCOL_SSLv23

Use:
PROTOCOL_TLSv1
0
 
LVL 62

Expert Comment

by:gheist
ID: 40627508
So disable SSLv3
You dont need any software patching after.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:sunhux
ID: 40627711
Well, our Solaris x86 VMs has the following packages:

# pkginfo |grep -i openssl
system      SUNWopenssl-commands             OpenSSL Commands (Usr)
system      SUNWopenssl-include              OpenSSL Header Files
system      SUNWopenssl-libraries            OpenSSL Libraries (Usr)
system      SUNWopenssl-man                  OpenSSL Manual Pages
system      SUNWopensslr                     OpenSSL (Root)

Assuming they're of older versions, where do I get the newer non-
vulnerable packages?
0
 

Author Comment

by:sunhux
ID: 40627721
I recall seeing somewhere there's ways to disable SSLv2 & SSLv3 at
Windows & Linux OS level but can't locate the link/url currently.

Is there anything similar for Solaris 10  x86 ?


One related query on OpenSSL:
HP told us their HPSA (HP Server Automation) is not vulnerable even though
our VA scanner reported it's vulnerable : HP said as long as SSLv2 / v3 are
disabled at OS level, what the VA scanner reports is false positive.  Any truth?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 120 total points
ID: 40627823
Probably scanner checks openssl package version.
While poodle is theoretical danger
Heartbleed is clear and present danger in any unpatched openssl 1.0.1 (and not older versions)
0
 
LVL 63

Accepted Solution

by:
btan earned 380 total points
ID: 40636621
A1: Latest patch for Solaris should be referenced to Oracle site (Jan15 if I recalled correctly), for the latest SSL related patch pls see A2
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

A2: Oracle addressing SSLv3 vulnerability primarily looking at Poodle, they advice to disable SSL 3.0 in all Oracle products that support this protocol.
http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
You should still be able to create free account - it gives you access to a variety of online services, applications, and communities https://profile.oracle.com/myprofile/account/create-account.jspx

Kindly provide the Oracle link to download it as well as all pre-requisite packages.   I have
subscription to Oracle but last login to sunsolve a couple of years before Oracle acquired
Sun, so I've lost touch.

A3: Better to get official patch (have an account) to address the CVE, and also if you installed JRE and JDK, also need to disable JRE and JDK in Oracle Solaris too. (developer based though) http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

A4: primarily it is Apache HTTPD, you do not control client but minimally web server shd disable SSLv3 and below.
http://sunadmintips.blogspot.sg/2012/10/disable-weak-ssl-ciphers-httpd-apache.html
Best to check if there are any other web server installed e.g.ngix installed by user in this case and with openssl.
http://wiki.nginx.org/Installing_on_Solaris_10_u5

As a whole, Openssl should be in S10 - https://blogs.oracle.com/janp/entry/on_openssl_versions_in_solaris

But overall, if we can find openssl in the platform, we shd do the disabling also - you may be interested in this project (PCA - Patch Check Advanced) http://www.par.univie.ac.at/solaris/pca/usage.html
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question