ESA-19: Update OpenSSL Packages to Address OpenSSL CCS Injection Vulnerability
1 view
Skip to first unread message
Eucalyptus Security Team
Jun 6, 2014, 10:11:03 PM6/6/14
to security...@eucalyptus.com
ESA-19: Update OpenSSL Packages to Address OpenSSL CCS Injection Vulnerability
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-19
Issue Date: 2014-06-06
Last Updated: 2014-06-06
Severity Level: Informational
Affected Versions: Centos 6.5, RHEL 6
CVE Number: CVE-2014-0224
====================================================================
OVERVIEW
------------
The CCS injection vulnerability affecting all versions of OpenSSL allows for a man-in-the-middle attack against SSL/TLS connections. All Eucalyptus installs on Centos 6.5 or RHEL 6 need to be updated to the latest openssl packages:
- https://access.redhat.com/site/articles/904433?sc_cid=70160000000dOVdAAM
- http://lists.centos.org/pipermail/centos-announce/2014-June/020344.html
DESCRIPTION
-------------
The CCS injection vulnerability has been announced in the OpenSSL library:
https://www.openssl.org/news/secadv_20140605.txt
This vulnerability allows for a man-in-the-middle attack against SSL/TLS connections in which data exchanged over the encrypted channel can be decrypted by an unauthorized party. The vulnerability can only be exploited if both server *and* client are vulnerable to the issue:
https://access.redhat.com/site/articles/904433?sc_cid=70160000000dOVdAAM
The OpenSSL library provided by a host OS is a dependency for the Eucalyptus and User Console products. To ensure that Eucalyptus cloud is not affected by the issue, all installs running on affected distributions need to be updated to the latest openssl packages.
SOLUTION
-------------
Upgrade to the latest OpenSSL package provided by your distribution:
- https://access.redhat.com/security/cve/CVE-2014-0224
- http://lists.centos.org/pipermail/centos-announce/2014-June/020344.html
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-19
Issue Date: 2014-06-06
Last Updated: 2014-06-06
Severity Level: Informational
Affected Versions: Centos 6.5, RHEL 6
CVE Number: CVE-2014-0224
====================================================================
OVERVIEW
------------
The CCS injection vulnerability affecting all versions of OpenSSL allows for a man-in-the-middle attack against SSL/TLS connections. All Eucalyptus installs on Centos 6.5 or RHEL 6 need to be updated to the latest openssl packages:
- https://access.redhat.com/site/articles/904433?sc_cid=70160000000dOVdAAM
- http://lists.centos.org/pipermail/centos-announce/2014-June/020344.html
DESCRIPTION
-------------
The CCS injection vulnerability has been announced in the OpenSSL library:
https://www.openssl.org/news/secadv_20140605.txt
This vulnerability allows for a man-in-the-middle attack against SSL/TLS connections in which data exchanged over the encrypted channel can be decrypted by an unauthorized party. The vulnerability can only be exploited if both server *and* client are vulnerable to the issue:
https://access.redhat.com/site/articles/904433?sc_cid=70160000000dOVdAAM
The OpenSSL library provided by a host OS is a dependency for the Eucalyptus and User Console products. To ensure that Eucalyptus cloud is not affected by the issue, all installs running on affected distributions need to be updated to the latest openssl packages.
SOLUTION
-------------
Upgrade to the latest OpenSSL package provided by your distribution:
- https://access.redhat.com/security/cve/CVE-2014-0224
- http://lists.centos.org/pipermail/centos-announce/2014-June/020344.html
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
Reply all
Reply to author
Forward
0 new messages