How To Fix CVE-2016-2107 on Ubuntu 14.04?

July 19, 2016 21.4k views
Let's Encrypt Nginx Security DigitalOcean Node.js Ubuntu

Hello Digital Ocean Community -

For reference my setup is Ubuntu 14.04 with nginx

I need your help! I followed this guide (https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04) to set up KingsKidsClub.com and SacramentoKingsKidsClub.com.

Installation went well except for testing the security on ssllabs at the end of step 3. See:
https://www.ssllabs.com/ssltest/analyze.html?d=kingskidsclub.com
https://www.ssllabs.com/ssltest/analyze.html?d=sacramentokingskidsclub.com

I failed both tests, apparently I have a vulnerability called: "CVE-2016-2107"

So far I've tried the following without luck:

https://bobcares.com/blog/fix-high-severity-openssl-bugs-memory-corruption-padding-oracle-ubuntu-centos-redhat-opensuse-linux/

https://gist.github.com/ArturT/bc8836d3bedff801dc324ac959050d12

Anyone know how I can fix this issue? Thank you in advance for any help!

3 Answers

Hi!

The Ubuntu package maintainers have already pushed patched packages that should fix the vulnerability. Run the following command to upgrade the OpenSSL libraries on your system which Nginx uses:

sudo apt-get install --only-upgrade libssl1.0.0 openssl

You will need to restart Nginx in order for the changes to take effect:

sudo service nginx restart

Per the bobcares article that you linked, you can make sure that you got the right packages by checking if the vulnerability is mentioned in the changelog:

zgrep -ie "(CVE-2016-2108|CVE-2016-2107)" /usr/share/doc/libssl1.0.0/changelog.Debian.gz
  • Hey kamaln7, thanks so much for your reply.

    Here is the result of the commands you shared. Everything seemed to work except the last command... nothing happened? What can I do?

    asingh@Kings:~$ sudo apt-get install --only-upgrade libssl1.0.0 openssl
    [sudo] password for asingh: 
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    libssl1.0.0 is already the newest version.
    openssl is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    asingh@Kings:~$ sudo service nginx restart
    nginx stop/waiting
    nginx start/running, process 2836
    asingh@Kings:~$ zgrep -ie "(CVE-2016-2108|CVE-2016-2107)" /usr/share/doc/libssl1.0.0/changelog.Debian.gz
    asingh@Kings:~$ 
    
    • Did you figure out what the problem was? I'm experiencing the exact same behaviour.

      • Yeah you just need to escape a few chars in that regex with \:

        $ zgrep -ie "\(CVE-2016-2108\|CVE-2016-2107\)" /usr/share/doc/libssl1.0.0/changelog.Debian.gz
            - debian/patches/CVE-2016-2107.patch: check that there are enough
            - CVE-2016-2107
            - debian/patches/CVE-2016-2108-1.patch: don't mishandle zero if it is
            - debian/patches/CVE-2016-2108-2.patch: fix ASN1_INTEGER handling in
            - CVE-2016-2108
        
Have another answer? Share your knowledge.