New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 5.6
SynopsisThe remote Amazon Linux AMI host is missing a security update.
DescriptionBodo Moller, Thai Duong and Krzysztof Kotowicz of Google discovered a flaw in the design of SSL version 3.0 that would allow an attacker to calculate the plaintext of secure connections, allowing, for example, secure HTTP cookies to be stolen.
Special notes :
We have backfilled our 2014.03, 2013.09, and 2013.03 Amazon Linux AMI repositories with updated openssl packages that fix CVE-2014-3566 .
For 2014.09 Amazon Linux AMIs, 'openssl-1.0.1i-1.79.amzn1' addresses this CVE. Running 'yum clean all' followed by 'yum update openssl' will install the fixed package.
For Amazon Linux AMIs 'locked' to the 2014.03 repositories, 'openssl-1.0.1i-1.79.amzn1' also addresses this CVE. Running 'yum clean all' followed by 'yum update openssl' will install the fixed package.
For Amazon Linux AMIs 'locked' to the 2013.09 or 2013.03 repositories, 'openssl-1.0.1e-4.60.amzn1' addresses this CVE. Running 'yum clean all' followed by 'yum update openssl' will install the fixed package.
If you are using a pre-2013.03 Amazon Linux AMI, we encourage you to move to a newer version of the Amazon Linux AMI as soon as possible.
SolutionRun 'yum update openssl' to update your system. Note that you may need to run 'yum clean all' first.