Amazon Linux AMI : openssl (ALAS-2014-426) (POODLE)

Medium Nessus Plugin ID 78484

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.6

Synopsis

The remote Amazon Linux AMI host is missing a security update.

Description

Bodo Moller, Thai Duong and Krzysztof Kotowicz of Google discovered a flaw in the design of SSL version 3.0 that would allow an attacker to calculate the plaintext of secure connections, allowing, for example, secure HTTP cookies to be stolen.

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exp loiting-ssl-30.html

https://www.openssl.org/~bodo/ssl-poodle.pdf

Special notes :

We have backfilled our 2014.03, 2013.09, and 2013.03 Amazon Linux AMI repositories with updated openssl packages that fix CVE-2014-3566 .

For 2014.09 Amazon Linux AMIs, 'openssl-1.0.1i-1.79.amzn1' addresses this CVE. Running 'yum clean all' followed by 'yum update openssl' will install the fixed package.

For Amazon Linux AMIs 'locked' to the 2014.03 repositories, 'openssl-1.0.1i-1.79.amzn1' also addresses this CVE. Running 'yum clean all' followed by 'yum update openssl' will install the fixed package.

For Amazon Linux AMIs 'locked' to the 2013.09 or 2013.03 repositories, 'openssl-1.0.1e-4.60.amzn1' addresses this CVE. Running 'yum clean all' followed by 'yum update openssl' will install the fixed package.

If you are using a pre-2013.03 Amazon Linux AMI, we encourage you to move to a newer version of the Amazon Linux AMI as soon as possible.

Solution

Run 'yum update openssl' to update your system. Note that you may need to run 'yum clean all' first.

See Also

https://aws.amazon.com/amazon-linux-ami/faqs/#lock

https://alas.aws.amazon.com/ALAS-2014-426.html

Plugin Details

Severity: Medium

ID: 78484

File Name: ala_ALAS-2014-426.nasl

Version: 1.15

Type: local

Agent: unix

Published: 2014/10/16

Updated: 2019/11/12

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 5.6

CVSS v2.0

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 3.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:openssl, p-cpe:/a:amazon:linux:openssl-debuginfo, p-cpe:/a:amazon:linux:openssl-devel, p-cpe:/a:amazon:linux:openssl-perl, p-cpe:/a:amazon:linux:openssl-static, cpe:/o:amazon:linux

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Patch Publication Date: 2014/10/14

Vulnerability Publication Date: 2014/10/15

Reference Information

CVE: CVE-2014-3566

ALAS: 2014-426