[QSA - 0326132] OpenSSL vulnerability
Qlustar Security Advisory 0326132
March 26, 2013Summary:
The system could suffer from a denial of service or plaintext-recovery attack.
Package(s) : libssl1.0.0 Affected versions: All versions prior to this update Vulnerability : denial of service/plaintext-recovery attacks Problem type : remote Qlustar-specific : no CVE Id(s) : CVE-2012-2686, CVE-2013-0169
Several vulnerabilities have been discovered in OpenSSL that may lead to a denial of service or allow plaintext-recovery attacks. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2012-2686
Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly handled certain crafted CBC data when used with AES-NI. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service.
CVE-2013-0169
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used in OpenSSL was vulnerable to a timing side-channel attack known as the "Lucky Thirteen" issue. A remote attacker could use this issue to perform plaintext-recovery attacks via analysis of timing data.
Update instructions:
The problem can be corrected by updating your system to the following package versions (follow the Qlustar Update Guide):
libssl1.0.0 1.0.1-4ubuntu5.8 qlustar-module-core-precise-amd64-8.0.1 8.0.1-b419f807