[QSA - 0326132] OpenSSL vulnerability

Qlustar Security Advisory 0326132

Summary:

The system could suffer from a denial of service or plaintext-recovery attack.

Package(s)       : libssl1.0.0
Affected versions: All versions prior to this update
Vulnerability    : denial of service/plaintext-recovery attacks
Problem type     : remote
Qlustar-specific : no
CVE Id(s)        : CVE-2012-2686, CVE-2013-0169

Several vulnerabilities have been discovered in OpenSSL that may lead to a denial of service or allow plaintext-recovery attacks. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2012-2686

Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly handled certain crafted CBC data when used with AES-NI. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service.

CVE-2013-0169

Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used in OpenSSL was vulnerable to a timing side-channel attack known as the "Lucky Thirteen" issue. A remote attacker could use this issue to perform plaintext-recovery attacks via analysis of timing data.

Update instructions:

The problem can be corrected by updating your system to the following package versions (follow the Qlustar Update Guide):

libssl1.0.0                                1.0.1-4ubuntu5.8
qlustar-module-core-precise-amd64-8.0.1    8.0.1-b419f807