1 Reply Latest reply on May 24, 2011 1:53 PM by cgrim

    OpenSSL Vulnerability

      Hello,

       

      We ran a PCI compliance check on one of our servers and got the following level 4 Open SSL vulnerability:

       

      ******************************************************************************** ******************************************************************************** *****************************

       

      OpenSSL Multiple Vulnerabilities <= 0.9.8p     443/tcp     Web Server     Fail
      Description
      The openSSL version detected on this server might be vulnerable to a host of vulnerabilities including (but not limited to)
      - TLS protocol session negotiation
      - DTLS packets denial of service
      - function signature verification
      - renegotiation improperly handled with TLS and SSL3.0
      - multiple other vulnerabilities

      It has been determined that you are running an OpenSSL version <= 0.9.8p

      Refer to the changelog for more information on a particular CVE: http://www.openssl.org/news/vulnerabilities.html

      CVSS Score
      7.6

      CVSS Fingerprint
      AV:N/AC:H/Au:N/C:C/I:C/A:C

      Solution
      Upgrade to the latest OpenSSL version


      ******************************************************************************** ******************************************************************************** *****************************

       

      The latest version of openssl is 1.0.0d and the current version of openSSL on our servers is 0.9.8e. OpenSSLversion 0.9.8e seems to be the latest version installed in the Centos 5cpanel servers and this is the latest existing vendor provided version of openssl. Several patches were released for this version and I can see that these patches were applied on our server. The last patch applied was on December 7, 2010. A method to upgrade openSSL is specified on one of the cpanel forum posts. However it is not recommended since there is a chance to break application compatibility and library linkages.


      Can we opt an alternate option for solving this. Please advice.

       

      Thanks in advance for any help.

       

      Regards,

      Sandy


        • 1. Re: OpenSSL Vulnerability

          Hi Sandy,

           

          We will need to research that, and determine if the solution can be modified.  In order to do so, it would be best for you to open a Service Request so it gets into the propper queue.

           

          To Open a SR:

          -  Go to: http://www.mcafee.com/us/about/contact/index.html
          -  Non-US customers - select your country from the list of Worldwide Offices.


          Alternatively:
          Log in to the ServicePortal at: https://mysupport.mcafee.com:

          -  If you are a registered user, type your User Id and Password and click OK.
          -  If you are not a registered user, click New User and complete the required fields. Your password and login instructions will be emailed to you.

           

          Thanks,

          Cathy