Home / server / Questions / 788773
Accepted
allo
Asked: 2016-07-09 12:44:41 +0800 CST

How to fix OpenSSL Padding Oracle vulnerability (CVE-2016-2107) for nginx on debian jessie?

  • 772

As far as i understood, it should be sufficient to upgrade openssl (done a long time ago, now installed all available updates again (no openssl there)) and restart nginx. I even tried to stop nginx fully (verified it with ps) and start it again.

But ssllabs still tells me, that i am vulnerable. What else do i need to do, or what can be causing that its still vulnerable?

versions:

ii  nginx                              1.9.10-1                          all          small, powerful, scalable web/proxy server
ii  nginx-common                       1.9.10-1                          all          small, powerful, scalable web/proxy server - common files
ii  nginx-full                         1.9.10-1                          amd64        nginx web/proxy server (standard version)
ii  openssl                            1.0.1t-1+deb8u2                   amd64        Secure Sockets Layer toolkit - cryptographic utility

ii  libssl-dev:amd64                   1.0.1t-1+deb8u2                   amd64        Secure Sockets Layer toolkit - development files
ii  libssl-doc                         1.0.1t-1+deb8u2                   all          Secure Sockets Layer toolkit - development documentation
ii  libssl1.0.0:amd64                  1.0.1t-1+deb8u2                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.0.2:amd64                  1.0.2f-2                          amd64        Secure Sockets Layer toolkit - shared libraries

lsof related to nginx

lsof 2>/dev/null |grep -i libssl|grep nginx
nginx     17928              root  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx     17929          www-data  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx     17930          www-data  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx     17932          www-data  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx     17933          www-data  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
debian nginx openssl

3 Answers

  1. Best Answer

    I got it.

    I installed certbot from debian unstable, which installed 1.0.2f-2. unstable is pinned to priority "-100" (do not install from unstable unless requested with -t unstable). This means the version is between the jessie version 1.0.0X-Y and the current unstable version 1.0.2.h-1. This prevented an upgrade to the next version in unstable, while the upgrade in stable is an "older" version with respect to the version number.

    • 2

  2. Installing the necessary updates ( as suggested by https://serverfault.com/users/126632/michael-hampton in the comments ) seems to fix the issue for me.

    apt-get update && apt-get upgrade
    • 2

  3. I had a similar issue on a Debian Wheezy Server. https://www.ssllabs.com/ssltest/ always showed that my server was vulnerable to CVE-2016-2107. Other servers ,with (in my opinion) same config, did not have this security issue.

    openssl, apache, php - all the same versions and same config.

    After some investigation i found out that mod_spdy was installed and activated on this particular server.

    After uninstalling mod_spdy the issue was solved.

    dpkg -r mod-spdy-beta 
dpkg -P mod-spdy-beta

    from https://stackoverflow.com/questions/25593257/how-do-i-remove-spdy-mod-spdy

    • 0