The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSSL: denial of service via SSL3_AL_WARNING

Synthesis of the vulnerability 

An attacker can send SSL3_AL_WARNING packets to an SSLv3 application linked to OpenSSL, in order to trigger a denial of service.
Vulnerable software: OpenOffice, Debian, Unisphere EMC, VNX Operating Environment, VNX Series, Fedora, FreeBSD, FreeRADIUS, hMailServer, HP Switch, AIX, IRAD, Security Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, Juniper ISG, Juniper J-Series, Junos OS, SSG, SRX-Series, Meinberg NTP Server, NetScreen Firewall, ScreenOS, OpenSSL, openSUSE Leap, Oracle Communications, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, WebLogic, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, RHEL, JBoss EAP by Red Hat, Shibboleth SP, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Ubuntu, WinSCP.
Severity of this announce: 2/4.
Creation date: 24/10/2016.
Références of this computer vulnerability: 1996096, 2000095, 2003480, 2003620, 2003673, 2004940, 2009389, bulletinoct2016, cpujan2020, cpujul2019, cpujul2020, cpuoct2020, CVE-2016-8610, DLA-814-1, DSA-2019-197, DSA-2020-030, DSA-2020-062, DSA-3773-1, FEDORA-2017-3451dbec48, FEDORA-2017-e853b4144f, FreeBSD-SA-16:35.openssl, HPESBHF03897, JSA10808, JSA10809, JSA10810, JSA10811, JSA10813, JSA10814, JSA10816, JSA10817, JSA10818, JSA10820, JSA10821, JSA10822, JSA10825, openSUSE-SU-2017:0386-1, openSUSE-SU-2017:0487-1, openSUSE-SU-2018:4104-1, PAN-SA-2017-0017, pfSense-SA-17_03.webgui, RHSA-2017:0286-01, RHSA-2017:0574-01, RHSA-2017:1548-01, RHSA-2017:1549-01, RHSA-2017:1550-01, RHSA-2017:1551-01, RHSA-2017:1552-01, RHSA-2017:1658-01, RHSA-2017:1659-01, RHSA-2017:2493-01, RHSA-2017:2494-01, SA40886, SP-CAAAPUE, SPL-129207, SUSE-SU-2017:0304-1, SUSE-SU-2017:0348-1, SUSE-SU-2018:0112-1, SUSE-SU-2018:3864-1, SUSE-SU-2018:3864-2, SUSE-SU-2018:3964-1, SUSE-SU-2018:3994-1, SUSE-SU-2018:4068-1, SUSE-SU-2018:4274-1, SUSE-SU-2019:1553-1, USN-3181-1, USN-3183-1, USN-3183-2, VIGILANCE-VUL-20941.

Description of the vulnerability 

The OpenSSL product implements the SSL version 3 protocol.

The SSL3_AL_WARNING message is used to send an alert of level Warning. However, when these packets are received during the handshake, the library consumes 100% of CPU.

An attacker can therefore send SSL3_AL_WARNING packets to an SSLv3 application linked to OpenSSL, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness announce impacts software or systems such as OpenOffice, Debian, Unisphere EMC, VNX Operating Environment, VNX Series, Fedora, FreeBSD, FreeRADIUS, hMailServer, HP Switch, AIX, IRAD, Security Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, Juniper ISG, Juniper J-Series, Junos OS, SSG, SRX-Series, Meinberg NTP Server, NetScreen Firewall, ScreenOS, OpenSSL, openSUSE Leap, Oracle Communications, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, WebLogic, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, RHEL, JBoss EAP by Red Hat, Shibboleth SP, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Ubuntu, WinSCP.

Our Vigil@nce team determined that the severity of this vulnerability alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this computer threat announce.

Solutions for this threat 

OpenSSL: version 1.1.0b.
The version 1.1.0b is fixed:
  https://www.openssl.org/

OpenSSL: version 1.0.2j.
The version 1.0.2j is fixed:
  https://www.openssl.org/

OpenSSL: patch for SSL3_AL_WARNING.
A patch is indicated in information sources.

Apache OpenOffice: version 4.1.6.
The version 4.1.6 is fixed:
  https://www.openoffice.org/download/

Debian: new openssl packages.
New packages are available:
  Debian 7: openssl 1.0.1t-1+deb7u2
  Debian 8: openssl 1.0.1t-1+deb8u6

Dell EMC Unisphere for PowerMax: solution.
The solution is indicated in information sources.

Dell EMC VNXe3200: version 3.1.11.10003441.
The version 3.1.11.10003441 is fixed:
  https://www.dell.com/support/

Dell EMC VNXe: version MR4 Service Pack 5.
The version MR4 Service Pack 5 is fixed:
  https://www.dell.com/support/

Fedora: new openssl packages.
New packages are available:
  Fedora 24: openssl 1.0.2k-1.fc24
  Fedora 25: openssl 1.0.2k-1.fc25

FreeBSD: patch for OpenSSL.
A patch is available:
  https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch
  https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch

FreeRADIUS: version 3.0.13.
The version 3.0.13 is fixed:
  ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.13.tar.bz2

hMailServer: version 5.6.7.
The version 5.6.7 is fixed:
  https://www.hmailserver.com/download_getfile/?performdownload=1&downloadid=262

HPE Switches: solution for OpenSSL.
The solution is indicated in information sources.

IBM AIX: patch for OpenSSL.
A patch is indicated in information sources.

IBM Cognos Analytics: solution.
The solution is indicated in information sources.

IBM Rational Application Developer for WebSphere: solution for OpenSSL.
The solution is indicated in information sources.

IBM Security Directory Suite: version 8.0.1.4.
The version 8.0.1.4 is fixed.

IBM Spectrum Protect: versions 7.1.6.5 and 8.1.0.2.
Versions 7.1.6.5 and 8.1.0.2 are fixed:
  Version 7.1.6.5 : http://www-01.ibm.com/support/docview.wss?uid=swg24042496
  Version 8.1.0.2: http://www.ibm.com/support/docview.wss?uid=swg24043351

IBM Tivoli Workload Scheduler: patch for OpenSSL.
A patch reference is provided in the information sources for each supported version of Workload Scheduler.

Juniper Junos: solution.
The solution is indicated in information sources.

Meinberg NTP Server: version 4.2.8p10.
The version 4.2.8p10 is fixed:
  https://www.meinbergglobal.com/download/ntp/windows/ntp-4.2.8p10-win32-setup.exe

openSUSE Leap 42.1: new openssl packages.
New packages are available:
  openSUSE Leap 42.1: openssl 1.0.1i-21.1

openSUSE Leap 42.3: new compat-openssl098 packages.
New packages are available:
  openSUSE Leap 42.3: compat-openssl098 0.9.8j-27.1

openSUSE Leap: new gnutls packages.
New packages are available:
  openSUSE Leap 42.1: gnutls 3.2.15-8.1
  openSUSE Leap 42.2: gnutls 3.2.15-9.1

Oracle Communications: CPU of January 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2625594.1
  https://support.oracle.com/rs?type=doc&id=2626101.1
  https://support.oracle.com/rs?type=doc&id=2628576.1
  https://support.oracle.com/rs?type=doc&id=2626102.1
  https://support.oracle.com/rs?type=doc&id=2622427.1
  https://support.oracle.com/rs?type=doc&id=2595443.1
  https://support.oracle.com/rs?type=doc&id=2595442.1
  https://support.oracle.com/rs?type=doc&id=2617852.1
  https://support.oracle.com/rs?type=doc&id=2626103.1

Oracle Communications: CPU of July 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2681987.1
  https://support.oracle.com/rs?type=doc&id=2682459.1
  https://support.oracle.com/rs?type=doc&id=2682014.1
  https://support.oracle.com/rs?type=doc&id=2683787.1
  https://support.oracle.com/rs?type=doc&id=2683788.1
  https://support.oracle.com/rs?type=doc&id=2683789.1
  https://support.oracle.com/rs?type=doc&id=2682045.1
  https://support.oracle.com/rs?type=doc&id=2683831.1
  https://support.oracle.com/rs?type=doc&id=2682010.1
  https://support.oracle.com/rs?type=doc&id=2683832.1
  https://support.oracle.com/rs?type=doc&id=2682500.1
  https://support.oracle.com/rs?type=doc&id=2683241.1
  https://support.oracle.com/rs?type=doc&id=2682011.1
  https://support.oracle.com/rs?type=doc&id=2683840.1
  https://support.oracle.com/rs?type=doc&id=2682018.1
  https://support.oracle.com/rs?type=doc&id=2683841.1
  https://support.oracle.com/rs?type=doc&id=2683842.1
  https://support.oracle.com/rs?type=doc&id=2683843.1
  https://support.oracle.com/rs?type=doc&id=2683845.1

Oracle Database: CPU of July 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2534806.1

Oracle Fusion Middleware: CPU of July 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2534806.1

Oracle Fusion Middleware: CPU of October 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2694898.1

Palo Alto PAN-OS: solution for OpenSSL.
The solution is indicated in information sources.

pfSense: version 2.3.3.
The version 2.3.3 is fixed:
  https://www.pfsense.org/download/

Pulse Connect Secure: fixed versions for SSL3_AL_WARNING.
Fixed versions are indicated in information sources.

Red Hat JBoss EAP: version 6.4.16.
The version 6.4.16 is fixed.

Red Hat JBoss Web Server 2: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.2

RHEL 6: new gnutls packages.
New packages are available:
  RHEL 6: gnutls 2.12.23-21.el6

RHEL: new openssl packages.
New packages are available:
  RHEL 6: openssl 1.0.1e-48.el6_8.4
  RHEL 7: openssl 1.0.1e-60.el7_3.1

ScreenOS: version 6.3.0r24.
The version 6.3.0r24 is fixed.

Shibboleth Service Provider: version 2.6.0.1.
The version 2.6.0.1 is fixed:
  http://shibboleth.net/downloads/service-provider/latest/

Solaris: patch for third party software of October 2016 v2.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Splunk Enterprise: versions 6.0.13, 6.1.12, 6.2.12, 6.3.8, 6.4.5 and 6.5.1.
Versions 6.0.13, 6.1.12, 6.2.12, 6.3.8, 6.4.5 and 6.5.1 are fixed:
  http://www.splunk.com/

stunnel: version 5.37.
The version 5.37 is fixed:
  https://www.stunnel.org/downloads.html

SUSE LE 11: new gnutls packages.
New packages are available:
  SUSE LE 11 SP4: gnutls 2.4.1-24.39.67.1

SUSE LE 11: new openssl packages.
New packages are available:
  SUSE LE 11 SP3: openssl 0.9.8j-0.106.18.1
  SUSE LE 11 SP4: openssl 0.9.8j-0.106.18.1

SUSE LE 11 SP3: new openssl1 packages.
New packages are available:
  SUSE LE 11 SP3: openssl1 1.0.1g-0.58.15.1

SUSE LE 11 SP4: new compat-openssl097g packages.
New packages are available:
  SUSE LE 11 SP4: compat-openssl097g 0.9.7g-146.22.51.8.1

SUSE LE 12: new gnutls packages.
New packages are available:
  SUSE LE 12 SP1: gnutls 3.2.15-16.1
  SUSE LE 12 SP2: gnutls 3.2.15-16.1

SUSE LE 12 RTM: new openssl packages (17/01/2018).
New packages are available:
  SUSE LE 12 RTM: openssl 1.0.1i-27.28.1

SUSE LE 12 RTM: new openssl packages (19/06/2019).
New packages are available:
  SUSE LE 12 RTM: openssl 1.0.1i-27.34.1

SUSE LE 12 SP1: new openssl packages (23/11/2018).
New packages are available:
  SUSE LE 12 SP1: openssl 1.0.1i-54.20.1

SUSE LE 12 SP3/4: new compat-openssl098 packages.
New packages are available:
  SUSE LE 12 SP3: compat-openssl098 0.9.8j-106.9.1
  SUSE LE 12 SP4: compat-openssl098 0.9.8j-106.9.1

Ubuntu: new libgnutls packages.
New packages are available:
  Ubuntu 16.10: libgnutls30 3.5.3-5ubuntu1.1
  Ubuntu 16.04 LTS: libgnutls30 3.4.10-4ubuntu1.2
  Ubuntu 14.04 LTS: libgnutls26 2.12.23-12ubuntu2.7
  Ubuntu 12.04 LTS: libgnutls26 2.12.14-5ubuntu3.14

Ubuntu: new libssl1.0.0 packages.
New packages are available:
  Ubuntu 16.10: libssl1.0.0 1.0.2g-1ubuntu9.1
  Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.6
  Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.22
  Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.39

WinSCP: version 5.9.3.
The version 5.9.3 is fixed:
  https://winscp.net/
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities announce. The Vigil@nce vulnerability database contains several thousand vulnerabilities.