CCS Injection patch for RHEL 4, CentOS 4 and EL 4 – CVE-2014-0224

CCS Injection, CVE-2014-0224 is a serious bug and security vulnerability in the popular OpenSSL cryptography library that was publicly disclosed on 7th of April 2014.
OpenSSL before versions 0.9.8za, versions 1.0.0 before 1.0.0m, and versions 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the “CCS Injection” vulnerability.

The vulnerability allows a malicious node monitoring the communication link to interfere with the key exchange mechanism and obtain sensitive information or hijack encrypted sessions.
For example the data captured may contain user passwords, sensitive data or even encryption keys.

A version of OpenSSL fixing the vurnerability was released on June 6th, 2014.

All versions of CentOS 4.x, RHEL 4.x and EL 4.X are vulnerable, including RHEL 4.0 , 4.1 , 4.2 , 4.3 , 4.4 , 4.5 , 4.6 , 4.7, 4.8 and 4.9.

On June, 10th, 2014 , Oracle has released RPMS with a fix for the CCS Injection Vulnerability # CVE-2014-0224 for Oracle Enterprise Linux 4.

The packages released by oracle can be used to patch systems running CentOS 4.x, RHEL 4.x and Oracle Enterprise Linux 4.x and don’t require a subscription.

You can use these packages if you are running Red Hat Linux 4.x without a subscription.

Disclaimer: Proceed at your own risk, I am not responsible if the commands suggested here break something. Always have a backup in place just in case.

Index Of all the patches for x86_64 systems is
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/

Index Of all the patches for i386/i686 systems is
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/

Update example for X86_64 systems, you don’t need do download packages that you don’t currently have installed.

Update example for i686 systems, you don’t need do download packages that you don’t currently have installed.

Equivalent or outdated RPMs provided by RedHat in advisory RHSA-2014:0627-1 for Red Hat Enterprise Linux ELS (v. 4)

Leave a Reply

Your email address will not be published. Required fields are marked *