How To Fix CVE-2016-2107 on Ubuntu 14.04?

July 19, 2016 24.2k views
Let's Encrypt Nginx Security DigitalOcean Node.js Ubuntu
itsupport729928
By:
itsupport729928

Hello Digital Ocean Community -

For reference my setup is Ubuntu 14.04 with nginx

I need your help! I followed this guide (https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04) to set up KingsKidsClub.com and SacramentoKingsKidsClub.com.

Installation went well except for testing the security on ssllabs at the end of step 3. See:
https://www.ssllabs.com/ssltest/analyze.html?d=kingskidsclub.com
https://www.ssllabs.com/ssltest/analyze.html?d=sacramentokingskidsclub.com

I failed both tests, apparently I have a vulnerability called: "CVE-2016-2107"

So far I've tried the following without luck:

https://bobcares.com/blog/fix-high-severity-openssl-bugs-memory-corruption-padding-oracle-ubuntu-centos-redhat-opensuse-linux/

https://gist.github.com/ArturT/bc8836d3bedff801dc324ac959050d12

Anyone know how I can fix this issue? Thank you in advance for any help!

Log In to Comment
3 Answers
kamaln7 MOD July 19, 2016

Hi!

The Ubuntu package maintainers have already pushed patched packages that should fix the vulnerability. Run the following command to upgrade the OpenSSL libraries on your system which Nginx uses:

sudo apt-get install --only-upgrade libssl1.0.0 openssl

You will need to restart Nginx in order for the changes to take effect:

sudo service nginx restart

Per the bobcares article that you linked, you can make sure that you got the right packages by checking if the vulnerability is mentioned in the changelog:

zgrep -ie "(CVE-2016-2108|CVE-2016-2107)" /usr/share/doc/libssl1.0.0/changelog.Debian.gz
Reply
  • itsupport729928 July 19, 2016

    Hey kamaln7, thanks so much for your reply.

    Here is the result of the commands you shared. Everything seemed to work except the last command... nothing happened? What can I do?

    asingh@Kings:~$ sudo apt-get install --only-upgrade libssl1.0.0 openssl
[sudo] password for asingh: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
libssl1.0.0 is already the newest version.
openssl is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
asingh@Kings:~$ sudo service nginx restart
nginx stop/waiting
nginx start/running, process 2836
asingh@Kings:~$ zgrep -ie "(CVE-2016-2108|CVE-2016-2107)" /usr/share/doc/libssl1.0.0/changelog.Debian.gz
asingh@Kings:~$
    • c931b49c552bf74 July 28, 2016

      Did you figure out what the problem was? I'm experiencing the exact same behaviour.

      • dpritchett August 5, 2016

        Yeah you just need to escape a few chars in that regex with \:

        $ zgrep -ie "\(CVE-2016-2108\|CVE-2016-2107\)" /usr/share/doc/libssl1.0.0/changelog.Debian.gz
    - debian/patches/CVE-2016-2107.patch: check that there are enough
    - CVE-2016-2107
    - debian/patches/CVE-2016-2108-1.patch: don't mishandle zero if it is
    - debian/patches/CVE-2016-2108-2.patch: fix ASN1_INTEGER handling in
    - CVE-2016-2108
dpritchett August 5, 2016
[deleted]
Reply
visitor August 14, 2016

you can also check your fix here:
https://filippo.io/CVE-2016-2107

Reply
Have another answer? Share your knowledge.

Related Questions