[UPDATED] OpenSSL Security Advisory: CVE-2016-2108, CVE-2016-2107, Other Vulnerabilities

Sean G. -

Update to Original Notice

(Updates as of 24-May-2016 UTC appear with asterisk*)

(First update appeared 9-May-2016 UTC; Original Notice appears at the bottom of this post)

How To Update Your Services

Triton Cloud (public cloud) users and Triton Enterprise (on-premises, private cloud) software users:

Update to the fixed release of the affected versions, as shown in the table below:

CVE Version(s) Affected Fixed Release(s) Where Available

CVE-2016-2108

 

OpenSSL 1.0.2 

OpenSSL 1.0.1

OpenSSL 1.0.2c

OpenSSL 1.0.1o

 2015Q1

 2014Q2, 2014Q4

CVE-2016-2107,
CVE-2016-2105, 
CVE-2016-2106,
CVE-2016-2109,
and
CVE-2016-2176

OpenSSL 1.0.2

OpenSSL 1.0.1

 

 

OpenSSL 1.0.2h

OpenSSL 1.0.1t

 

 

 2015Q4, 2016Q1

 2014Q4

 

 

You can determine whether OpenSSL is installed (as well as the version you have installed) by running: 

$ pkgin ls | grep -i openssl

Customers can re-install OpenSSL with the following commands:
$ pkgin -y up && pkgin -y in openssl


Or, install the version needed (if only available in a different repository), by running:

 $ pkg_add pkgsrc_path_to_package


For example, if you need to install OpenSSL version 1.0.2h from the 2016Q1 repository, but you are running on an image that is using a different repository, you can install the 1.0.2h version by running the following (with the caveat that we strongly suggest you first try this on a non-production machine, to ensure you do not run into any dependency issues):

$ pkg_add -U http://pkgsrc.joyent.com/packages/SmartOS/2016Q1/x86_64/All/openssl-1.0.2h.tgz

Note: If your current version is 1.0.1 then you can only upgrade to 1.0.1t from the 2014Q4 repository as follows. You cannot upgrade to 1.0.2h

$ pkg_add -U http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/openssl-1.0.1t.tgz

 

Triton Enterprise (formerly SDC 7) software users*

The following Triton components have been fixed and are now available from the support channel:

  • sdcadm (upgrade to most recently published 1.11.1 version)
  • adminui (upgrade to release-20160512-20160512T165733Z-g63d9d37)
  • docker (upgrade to release-20160512-20160512T164735Z-gabdb1f1)
  • imgapi (upgrade to release-20160512-20160512T164432Z-g318b58e)
  • gz-tools (upgrade to most recently published 3.0.0 version)
  • Users should also update their boot platform to release-20160428-20160504T174400Z, or newer

For further details on applying updates, you can reference the Triton maintenance and upgrades web page. Should you require any further assistance with your updates to the components above, please contact our Support team by raising a request at the Customer Support portal or emailing support@joyent.com.

 

Manta, CloudAPI and Portal:

Please be assured that any Joyent components identified as being affected will be updated. 

 

Linux Users:

Please check the notices applicable to the Linux distro that you are using:

 

Node.js users:

As described in the 6-May-2016 Node.js update found here, the following releases have been made available to include the OpenSSL security updates:

Please upgrade your Node.js installation as soon as possible.

 

Open source Triton users:

Update boot platform image to: release-20160428-20160504T174400Z

Update adminui, docker, and imgapi to the 20150512* releases.*

Direct any further questions to: The SmartOS Community Mailing Lists and IRC 

Original Notice

(Posted 3-May-2016 UTC)

This notice is to provide preliminary advice to all Triton Cloud (public cloud) customers and all Triton Enterprise (formerly SDC 7) software customers of the recently-identified, high-severity OpenSSL security vulnerabilities CVE-2016-2108 and CVE-2016-2107, as well as four low-severity CVEs. Further information regarding these vulnerabilities is available here.

As soon as we can, we will update this notice to confirm the actions taken by Joyent, and to provide specific details of any required actions -- such as pkgsrc and software updates -- that will need to be taken by both Triton Cloud and Triton Enterprise software customers.

Node users are advised to watch for updates here; any new Node.js releases impacting software will be included in the above-mentioned Joyent pkgsrc and software updates.

Please do not hesitate to contact our Support team (by raising a ticket at the Customer Support portal or by email to support@joyent.com) if any questions or concerns come up.

Have more questions? Submit a request

0 Comments

Article is closed for comments.