Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : openssl vulnerabilities (USN-2914-1)
Critical Nessus Plugin ID 89078
Synopsis
The remote Ubuntu host is missing a security-related patch.
Description
Yuval Yarom, Daniel Genkin, and Nadia Heninger discovered that OpenSSL was vulnerable to a side-channel attack on modular exponentiation. On certain CPUs, a local attacker could possibly use this issue to recover RSA keys. This flaw is known as CacheBleed. (CVE-2016-0702)
Adam Langley discovered that OpenSSL incorrectly handled memory when parsing DSA private keys. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-0705)
Guido Vranken discovered that OpenSSL incorrectly handled hex digit calculation in the BN_hex2bn function. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-0797)
Emilia Kasper discovered that OpenSSL incorrectly handled memory when performing SRP user database lookups. A remote attacker could possibly use this issue to cause OpenSSL to consume memory, resulting in a denial of service. (CVE-2016-0798)
Guido Vranken discovered that OpenSSL incorrectly handled memory when printing very long strings. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-0799).
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
Update the affected libssl1.0.0 package.