5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.007 Low
EPSS
Percentile
79.8%
Issue Overview:
It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-0169)
A NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially-crafted response. (CVE-2013-0166)
It was discovered that the TLS/SSL protocol could leak information about plain text when optional compression was used. An attacker able to control part of the plain text sent over an encrypted TLS/SSL connection could possibly use this flaw to recover other portions of the plain text. (CVE-2012-4929)
Note: This update disables zlib compression, which was previously enabled in OpenSSL by default. Applications using OpenSSL now need to explicitly enable zlib compression to use it.
Affected Packages:
openssl
Issue Correction:
Run yum update openssl to update your system.
New Packages:
i686:
openssl-devel-1.0.0k-1.48.amzn1.i686
openssl-static-1.0.0k-1.48.amzn1.i686
openssl-1.0.0k-1.48.amzn1.i686
openssl-debuginfo-1.0.0k-1.48.amzn1.i686
openssl-perl-1.0.0k-1.48.amzn1.i686
src:
openssl-1.0.0k-1.48.amzn1.src
x86_64:
openssl-debuginfo-1.0.0k-1.48.amzn1.x86_64
openssl-1.0.0k-1.48.amzn1.x86_64
openssl-devel-1.0.0k-1.48.amzn1.x86_64
openssl-perl-1.0.0k-1.48.amzn1.x86_64
openssl-static-1.0.0k-1.48.amzn1.x86_64
Red Hat: CVE-2012-4929, CVE-2013-0166, CVE-2013-0169
Mitre: CVE-2012-4929, CVE-2013-0166, CVE-2013-0169
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | openssl-devel | < 1.0.0k-1.48.amzn1 | openssl-devel-1.0.0k-1.48.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | openssl-static | < 1.0.0k-1.48.amzn1 | openssl-static-1.0.0k-1.48.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | openssl | < 1.0.0k-1.48.amzn1 | openssl-1.0.0k-1.48.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | openssl-debuginfo | < 1.0.0k-1.48.amzn1 | openssl-debuginfo-1.0.0k-1.48.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | openssl-perl | < 1.0.0k-1.48.amzn1 | openssl-perl-1.0.0k-1.48.amzn1.i686.rpm |
Amazon Linux | 1 | x86_64 | openssl-debuginfo | < 1.0.0k-1.48.amzn1 | openssl-debuginfo-1.0.0k-1.48.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | openssl | < 1.0.0k-1.48.amzn1 | openssl-1.0.0k-1.48.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | openssl-devel | < 1.0.0k-1.48.amzn1 | openssl-devel-1.0.0k-1.48.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | openssl-perl | < 1.0.0k-1.48.amzn1 | openssl-perl-1.0.0k-1.48.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | openssl-static | < 1.0.0k-1.48.amzn1 | openssl-static-1.0.0k-1.48.amzn1.x86_64.rpm |