2020-04-21 OpenSSL segmentation fault in SSL_check_chain (CVE-2020-1967)
An important vulnerability was found in the way OpenSSL 1.1.1 handles the TLS 1.3 handshakes. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the “signature_algorithms_cert” TLS extension. This could be exploited by a malicious peer in a Denial of Service attack.
Find more information about it in the OpenSSL Security Advisory.
Servers affected platforms
Some installers, Virtual Machines and Cloud Images include a bundled OpenSSL with the Bitnami application. If that is the case you will find the openssl binary in the installation directory. For these applications, check the OpenSSL version using with the following command:
$ /opt/bitnami/common/bin/openssl version
- Versions affected: OpenSSL 1.1.1 versions prior to 1.1.1g are vulnerable.
- Versions not affected: Versions 1.1.0 or 1.0.2.
If that is your case, we recommend to deploy a new available version of the Bitnami solution in your platform and migrate the data to the new server. We can help you in our github repository.
Secure The System
Additionally, for all Bitnami deployments, in order to secure your server you need to update the OpenSSL version included in the system and the OpenSSL included in the Bitnami installation. All the currently supported OS ship a non-vulnerable version of OpenSSL so it is not required to update it for this specific issue:
- Debian 9: 1.0.1
- CentOS 7: 1.0.2
- Ubuntu 16.04: 1.0.2
Containers and Helm Charts
This issue affects all the Bitnami Containers in the Open Source Catalog that are based on Debian 10 and uses OpenSSL library. At the moment of writing this note, Bitnami is releasing new container images and Helm Charts with the fixed OpenSSL version 1.1.1d-0+deb10u3
.
- [Update 16.00 UTC April 23rd] All the single-VMs for AWS and Azure have been released. We continue working with the Marketplace teams to publish them.
- [Update 9.00 UTC April 23rd] All the installers and single-VMs for GCE and VMware Marketplaces have been released and they are available.
- [Update 14.00 UTC April 22nd] All the Bitnami Helm Charts have been released for using the containers with a fixed OpenSSL library.
- [Update 10.00 am UTC April 22nd] All the Bitnami Container images based on Debian 10 have been released in all the supported registries: Docker Hub, GCR.io and Quay.io.
Do you have more questions? You can open an issue in this github repository so we can help you there.