Tuesday, May 3, 2016

Security notification: OpenSSL 1.0.2h / 1.0.1t

A new security vulnerability was recently discovered in certain versions of OpenSSL. More information about the vulnerability is available on the OpenSSL website: https://www.openssl.org/news/secadv/20160503.txt

There are two high security issues that do not affect Bitnami installations:

1. Memory corruption in the ASN.1 encoder (CVE-2016-2108).

  • All of the currently released Bitnami stacks use an OpenSSL version greater than the affected versions: 1.0.2c or 1.0.1o.

2. Padding oracle in AES-NI CBC MAC check (CVE-2016-2107). 

  • The OpenSSL we ship with the Bitnami installers, virtual machines and cloud images does not enable AES-NI encryption.

The Bitnami team will continue working on updating OpenSSL to 1.0.2h for all Bitnami apps, however, to be clear, the two security issues above do not affect our applications that are currently available.

2 comments:

  1. This post is misleading. I have a AWS hosted Bitnami instance that fails the test for CVE-2016-2107 here: https://filippo.io/CVE-2016-2107/ . Please publish a fix.

    ReplyDelete
  2. Hi,

    I am sorry to hear about the trouble your are experiencing. Can you kindly provide either your application URL or AMI number so we can investigate the issue? Thank you!

    ReplyDelete

Please use our community forum if you have any questions community.bitnami.com