Solved

Solaris 10 x86 OpenSSL patch/package to address vulnerabilities

Posted on 2015-02-23
7
627 Views
Last Modified: 2015-03-11
There's been quite a number of OpenSSL vulnerabilities lately & even SSLv3 is now vulnerable;
I guess only TLS of a certain ciphers is now non-vulnerable (perhaps shd be called OpenTLS?)

Q1:
What's the latest patch/package for Solaris 10 (for x86) that is non-vulnerable?

Q2:
Kindly provide the Oracle link to download it as well as all pre-requisite packages.   I have
subscription to Oracle but last login to sunsolve a couple of years before Oracle acquired
Sun, so I've lost touch.

Q3:
Do provide brief Solaris commands (I last recall it's something like 'pkgadd -d ./...'  or 'patchadd ..."
to install the pre-requisite packages & this non-vulnerable OpenSSL

Q4:
I guess OpenSSL is only used in web servers, so how do I verify it has taken effect (ie using TLS
& not SSL) & if breaks anything?  If I could browse the webpage & load certain apps, is this good
enough?
0
Comment
Question by:sunhux
  • 3
  • 3
7 Comments
 
LVL 61

Assisted Solution

by:gheist
gheist earned 120 total points
ID: 40626532
Q1: what CVE numbers you refer to? it ships with such an old version of OpenSSL that is not affected by Heartbleed, and is not fixable against Poodle.
Q2: Kindly use your subscription to find links, as tjhey all are now fingerprinted
Q3: You can use graphical updater.
Q4: You are mistaken. Absolutely
0
 

Author Comment

by:sunhux
ID: 40627329
If there's no patch for Poodle (or any of the OpenSSL vulnerabilities), I'm
looking for workarounds such as what's listed on
  https://support.oracle.com/epmos/faces/DocumentDisplay?id=1935621.1&_adf.ctrl-state=16z63srznx_859&_afrLoop=250521592555892

Eg, for Apache 2.x (I guess it's applicable to Oracle Web servers as well or is it? ) :
Make the following changes in the configuration file.

--- /etc/apache2/ssl.conf.orig  Wed Oct 15 21:24:24 2014
+++ /etc/apache2/ssl.conf       Wed Oct 15 21:23:45 2014
@@ -102,6 +102,8 @@
# packages from the Solaris 10 Data Encryption Kit.
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

+SSLProtocol All -SSLv2 -SSLv3
+
#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a

Once this change is done restart Apache HTTPD service.  Apache httpd 2.x is managed by SMF, so the following commands can be used:
svcadm restart svc:/network/http:apache2
To verify whether SSLv3 is disabled on your server you can use following command:
openssl s_client -connect <server>:<port> -ssl3
You should see handshake failure if SSLv3 is disabled.

Any idea how we can fix it for say Glassfish or common Solaris apps
that uses OpenSSL?
Eg, for Python, we wud do:
Instead of using any of:

PROTOCOL_SSLv2
PROTOCOL_SSLv3
PROTOCOL_SSLv23

Use:
PROTOCOL_TLSv1
0
 
LVL 61

Expert Comment

by:gheist
ID: 40627508
So disable SSLv3
You dont need any software patching after.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:sunhux
ID: 40627711
Well, our Solaris x86 VMs has the following packages:

# pkginfo |grep -i openssl
system      SUNWopenssl-commands             OpenSSL Commands (Usr)
system      SUNWopenssl-include              OpenSSL Header Files
system      SUNWopenssl-libraries            OpenSSL Libraries (Usr)
system      SUNWopenssl-man                  OpenSSL Manual Pages
system      SUNWopensslr                     OpenSSL (Root)

Assuming they're of older versions, where do I get the newer non-
vulnerable packages?
0
 

Author Comment

by:sunhux
ID: 40627721
I recall seeing somewhere there's ways to disable SSLv2 & SSLv3 at
Windows & Linux OS level but can't locate the link/url currently.

Is there anything similar for Solaris 10  x86 ?


One related query on OpenSSL:
HP told us their HPSA (HP Server Automation) is not vulnerable even though
our VA scanner reported it's vulnerable : HP said as long as SSLv2 / v3 are
disabled at OS level, what the VA scanner reports is false positive.  Any truth?
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 120 total points
ID: 40627823
Probably scanner checks openssl package version.
While poodle is theoretical danger
Heartbleed is clear and present danger in any unpatched openssl 1.0.1 (and not older versions)
0
 
LVL 61

Accepted Solution

by:
btan earned 380 total points
ID: 40636621
A1: Latest patch for Solaris should be referenced to Oracle site (Jan15 if I recalled correctly), for the latest SSL related patch pls see A2
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

A2: Oracle addressing SSLv3 vulnerability primarily looking at Poodle, they advice to disable SSL 3.0 in all Oracle products that support this protocol.
http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
You should still be able to create free account - it gives you access to a variety of online services, applications, and communities https://profile.oracle.com/myprofile/account/create-account.jspx

Kindly provide the Oracle link to download it as well as all pre-requisite packages.   I have
subscription to Oracle but last login to sunsolve a couple of years before Oracle acquired
Sun, so I've lost touch.

A3: Better to get official patch (have an account) to address the CVE, and also if you installed JRE and JDK, also need to disable JRE and JDK in Oracle Solaris too. (developer based though) http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

A4: primarily it is Apache HTTPD, you do not control client but minimally web server shd disable SSLv3 and below.
http://sunadmintips.blogspot.sg/2012/10/disable-weak-ssl-ciphers-httpd-apache.html
Best to check if there are any other web server installed e.g.ngix installed by user in this case and with openssl.
http://wiki.nginx.org/Installing_on_Solaris_10_u5

As a whole, Openssl should be in S10 - https://blogs.oracle.com/janp/entry/on_openssl_versions_in_solaris

But overall, if we can find openssl in the platform, we shd do the disabling also - you may be interested in this project (PCA - Patch Check Advanced) http://www.par.univie.ac.at/solaris/pca/usage.html
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now