Question

How To Fix CVE-2016-2107 on Ubuntu 14.04?

Posted July 19, 2016 26.6k views
Nginx Ubuntu Node.js Security DigitalOcean Let's Encrypt

Hello Digital Ocean Community -

For reference my setup is Ubuntu 14.04 with nginx

I need your help! I followed this guide (https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04) to set up KingsKidsClub.com and SacramentoKingsKidsClub.com.

Installation went well except for testing the security on ssllabs at the end of step 3. See:
https://www.ssllabs.com/ssltest/analyze.html?d=kingskidsclub.com
https://www.ssllabs.com/ssltest/analyze.html?d=sacramentokingskidsclub.com

I failed both tests, apparently I have a vulnerability called: “CVE-2016-2107”

So far I’ve tried the following without luck:

https://bobcares.com/blog/fix-high-severity-openssl-bugs-memory-corruption-padding-oracle-ubuntu-centos-redhat-opensuse-linux/

https://gist.github.com/ArturT/bc8836d3bedff801dc324ac959050d12

Anyone know how I can fix this issue? Thank you in advance for any help!

Add a comment
itsupport729928
By:
itsupport729928
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

3 answers
kamaln7 July 19, 2016

Hi!

The Ubuntu package maintainers have already pushed patched packages that should fix the vulnerability. Run the following command to upgrade the OpenSSL libraries on your system which Nginx uses:

sudo apt-get install --only-upgrade libssl1.0.0 openssl

You will need to restart Nginx in order for the changes to take effect:

sudo service nginx restart

Per the bobcares article that you linked, you can make sure that you got the right packages by checking if the vulnerability is mentioned in the changelog:

zgrep -ie "(CVE-2016-2108|CVE-2016-2107)" /usr/share/doc/libssl1.0.0/changelog.Debian.gz
Reply Report
  • itsupport729928 July 19, 2016

    Hey kamaln7, thanks so much for your reply.

    Here is the result of the commands you shared. Everything seemed to work except the last command… nothing happened? What can I do?

    asingh@Kings:~$ sudo apt-get install --only-upgrade libssl1.0.0 openssl
[sudo] password for asingh: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
libssl1.0.0 is already the newest version.
openssl is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
asingh@Kings:~$ sudo service nginx restart
nginx stop/waiting
nginx start/running, process 2836
asingh@Kings:~$ zgrep -ie "(CVE-2016-2108|CVE-2016-2107)" /usr/share/doc/libssl1.0.0/changelog.Debian.gz
asingh@Kings:~$
    Reply Report
    • c931b49c552bf74 July 28, 2016

      Did you figure out what the problem was? I’m experiencing the exact same behaviour.

      Reply Report
      • dpritchett August 5, 2016

        Yeah you just need to escape a few chars in that regex with \:

        $ zgrep -ie "\(CVE-2016-2108\|CVE-2016-2107\)" /usr/share/doc/libssl1.0.0/changelog.Debian.gz
    - debian/patches/CVE-2016-2107.patch: check that there are enough
    - CVE-2016-2107
    - debian/patches/CVE-2016-2108-1.patch: don't mishandle zero if it is
    - debian/patches/CVE-2016-2108-2.patch: fix ASN1_INTEGER handling in
    - CVE-2016-2108
        Reply Report
dpritchett August 5, 2016
[deleted]
Reply Report
visitor August 14, 2016

you can also check your fix here:
https://filippo.io/CVE-2016-2107

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help