2015-07-09 Alternative chains certificate forgery (CVE-2015-1793)
A recent vulnerability was discovered that affect several OpenSSL versions: 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
Check the OpenSSL version that you are currently using with the following command:
$ installdir/common/bin/openssl version
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
NOTE: Windows installers are not affected, as they do not ship any of these versions.
How to patch it
To prevent malicious users from exploiting the vulnerability in the server, update the OpenSSL version by following the steps below:
Patch the library located in the installdir directory, by downloading and installing an update for your platform.
For 64-bit Linux systems: http://downloads.bitnami.com/files/stacks/opensslfixer/1.0.1p-1/bitnami-opensslfixer-1.0.1p-1-linux-x64-installer.run md5: 4a43b69e22991521a0aa688ae9b5563e
For 32-bit Linux systems: http://downloads.bitnami.com/files/stacks/opensslfixer/1.0.1p-1/bitnami-opensslfixer-1.0.1p-1-linux-installer.run md5: d490798647f48173b2ad197a4d841efe
For Mac OS X systems: http://downloads.bitnami.com/files/stacks/opensslfixer/1.0.1p-0/bitnami-opensslfixer-1.0.1p-0-osx-x86_64-installer.dmg md5: baa2497f022a4a4ac21748d3e9ce5fb5
Install the patch using the commands below:
$ chmod +x ./bitnami-opensslfixer-1.0.1p-1-linux-installer.run $ sudo ./bitnami-opensslfixer-1.0.1p-1-linux-installer.run
The patch will check if your installation is vulnerable and if so, update the library version to a safe one. At the end of the patching process, it will ask for permission to restart your services (recommended) so the changes take effect. It will also save all the updated files in the installdir/opensslfix directory and the replaced files (in case they are needed to perform a rollback) in the installdir/opensslfix/backup/ directory.
Apache fails to start after applying this patch
This usually happens because of some binary incompatibility. The installer will allow you to restore the installation back to its previous state, as shown below:
Apache configuration seems to fail after applying the patch. Do you want to restore to the previous state? [Y/n]:
Select “Y” to go back to the working (but vulnerable) version. If the rollback process fails, manually copy the files from the backup directory, as shown below:
$ cp -rp installdir/opensslfix/backup/* installdir/common $ installdir/ctlscript.sh restart apache
Next, execute the OpenSSL Fixer as follows, with the --forceversioned 1 parameter:
$ chmod +x ./bitnami-opensslfixer-1.0.1p-1-linux-x64-installer.run $ sudo ./bitnami-opensslfixer-1.0.1p-1-linux-x64-installer.run --forceversioned 1
Post a question in the community so we can help you troubleshoot the issue.