2016-09-22 OpenSSL OCSP Status Request extension unbounded memory growth (CVE-2016-6304)

A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. You can find out more information about it in the OpenSSL Security Advisory.

Affected platforms

Check the OpenSSL version that you are currently using with the following command:

$ /opt/bitnami/common/bin/openssl version

OpenSSL versions prior to 1.0.1u, 1.0.2i and 1.1.0a are vulnareble and allow malicious client to exhaust the server’s memory.

Secure the system

To secure your server, you need to update the OpenSSL version included in the system and the OpenSSL included in the Bitnami installation.

NOTE: At the time we wrote this documentation the packages of the other distributions have not been released

Debian

Follow the steps below:

• Update the system OpenSSL library with these commands:

    $ sudo apt-get update
    $ sudo apt-get install -y openssl libssl1.0.0
  

• Check that the version was updated (please note the “built on” date):

    $ /usr/bin/openssl version -a
    OpenSSL 1.0.1t  3 May 2016
    built on: Thu Sep 22 06:42:20 2016
  

• Restart any service using libssl:

    $ sudo /opt/bitnami/ctlscript.sh restart
  

Ubuntu

Follow the steps below:

• Update the system OpenSSL library with these commands:

    $ sudo apt-get update
    $ sudo apt-get install -y openssl libssl1.0.0
  

• Check that the version was updated (please note the “built on” date):

    $ /usr/bin/openssl version -a
    OpenSSL 1.0.1f 6 Jan 2014
    built on: Thu Sep 22 17:59:24 UTC 2016
  

• Restart any service using libssl:

    $ sudo /opt/bitnami/ctlscript.sh restart
  

Red Hat

Follow the steps below:

• Update the system OpenSSL library with these commands:

    $ sudo yum -y update openssl
  

• Check that the version was updated (please note the “built on” date):

    $ /usr/bin/openssl version -a
    OpenSSL 1.0.1e-fips 11 Feb 2013
    built on: Thu Sep 22 05:31:09 EDT 2016
  

• Restart any service using libssl:

    $ sudo /opt/bitnami/ctlscript.sh restart
  

Oracle Linux

Follow the steps below:

• Update the system OpenSSL library with these commands:

    $ sudo yum -y update openssl
  

• Check that the version was updated (please note the “built on” date):

    $ /usr/bin/openssl version -a
    OpenSSL 1.0.1e-fips 11 Feb 2013
    built on: Tue Sep 27 05:35:00 PDT 2016
  

• Restart any service using libssl:

    $ sudo /opt/bitnami/ctlscript.sh restart
  

CentOS

Follow the steps below:

• Update the system OpenSSL library with these commands:

    $ sudo yum -y update openssl
  

• Check that the version was updated (please note the “built on” date):

    $ /usr/bin/openssl version -a
    OpenSSL 1.0.1e-fips 11 Feb 2013
    built on: Tue Sep 27 13:37:25 UTC 2016
  

• Restart any service using libssl:

    $ sudo /opt/bitnami/ctlscript.sh restart
  

Amazon Linux

Follow the steps below:

• Update the system OpenSSL library with these commands:

    $ sudo yum -y update openssl
  

• Check that the version was updated (please note the “built on” date):

    $ /usr/bin/openssl version -a
    OpenSSL 1.0.1k-fips 8 Jan 2015
    built on: Thu Sep 22 19:07:16 2016
  

• Restart any service using libssl:

    $ sudo /opt/bitnami/ctlscript.sh restart
  

How to patch the Bitnami installation

To prevent malicious users from exploiting the vulnerability in the server, update the OpenSSL version by following the steps below:

• Patch the library located in the /opt/bitnami directory, by downloading and installing an update for your platform.

  • For 64-bit Linux systems: https://downloads.bitnami.com/files/opensslfixer/bitnami-opensslfixer-1.0.2j-1-linux-x64-installer.run md5: d1a619be6f37e1ddab779e41f5482a44

  • For 32-bit Linux systems: https://downloads.bitnami.com/files/opensslfixer/bitnami-opensslfixer-1.0.2j-1-linux-installer.run md5: 7db5a41ac60dfd81feab41de8b497a64

  • For Mac OS X systems: https://downloads.bitnami.com/files/opensslfixer/bitnami-opensslfixer-1.0.2j-1-osx-x86_64-installer.app.zip md5: 07fdd3d6aee0993ea15ab2090b4adff3

• Install the patch using the commands below:

    $ chmod +x ./bitnami-opensslfixer-1.0.2j-0-linux-x64-installer.run
    $ sudo ./bitnami-opensslfixer-1.0.2j-0-linux-x64-installer.run
  

The patch will check if your installation is vulnerable and if so, update the library version to a safe one. At the end of the patching process, it will ask for permission to restart your services (recommended) so the changes take effect. It will also save all the updated files in the /opt/bitnami/opensslfix directory and the replaced files (in case they are needed to perform a rollback) in the /opt/bitnami/opensslfix/backup/ directory.

Troubleshooting

Apache fails to start after applying this patch

This usually happens because of some binary incompatibility. The installer will allow you to restore the installation back to its previous state, as shown below:

Apache configuration seems to fail after applying the patch. Do you want to restore to the previous state? [Y/n]:

Select “Y” to go back to the working (but vulnerable) version. If the rollback process fails, manually copy the files from the backup directory, as shown below:

$ cp -rp /opt/bitnami/opensslfix/backup/* /opt/bitnami/common
$ /opt/bitnami/ctlscript.sh restart apache

Please direct any questions you have about this issue on our github repository so we can help you troubleshoot the issue.