OpenSSL Padding Oracle vulnerability (CVE-2016-2107) + Nginx - nginx

I was trying Qualys SSL Labs test and It told me that the server is vulnerable to OpenSSL Padding Oracle vulnerability (CVE-2016-2107). I googled around on how to fix this, and although the OpenSSL version installed on my system (Ubuntu 14.04) should be patched for that according to this link I was still getting this error.
I tried upgrading OpenSSL but it was already the newest version, so I installed manually a newer version following the instructions here which went fine, but that didn't fix anything. Looking at the info from Nginx, It seems it still runs with the previous version:
nginx -V
nginx version: nginx/1.10.2
built with OpenSSL 1.0.1f 6 Jan 2014 (running with OpenSSL 1.0.2g-fips 1 Mar 2016)
while OpenSSL has clearly been updated:
openssl version
OpenSSL 1.0.2j 26 Sep 2016
Any idea how to get all this sorted out?
Note that yes, I did restart Nginx, I even tried sudo service nginx upgrade and even rebooted the server.

Related

ERROR 2002 (HY000): Can't connect to server on 'xxx.xxx.XX' (60) (MariaDB 10.8)

Since a day or so I can not access the databases on two of my servers any longer
I use
mysql -h host.sld.TLD -P 3306 -user user
which I have configured to allow my user from my host without password
but get the above error.
However, when I use
telnet host.sld.TLD 3306
I get
5.5.5-10.8.5-MariaDB-1:10.8.5+maria~ubu2004(si4cyW'Y��-n;{ypDA\)VU)mysql_native_passwordC
I am using homebrew's mariadb (currently 10.9.3) on my machine, which I can reach from the outside. One each of the 'failed' remotes is on ubuntu with 10.8 and one on a Mac also with 10.8, and outgoing works from both. OpenSSL is version 1.1.1s on both Macs
I have installed a number of different mariadb versions all have the same issues, as do their perl libraries. mysql itself works.
What am I doing wrong here?
This issue has been fixed in MariaDB 10.9.4 which was released yesterday. Brew still offers 10.9.3, usually it takes a couple of days until latest 10.9 release will be available via brew.
The issue doesn't affect the server itself, but Connector/C and command line tools which link against Connector/C.
See also: MariaDB connector in Python cannot connect to remote server

pypi remote repository fails SSL Test

It appears sometime in June of this year our SSL validation inside of Artifactory started to fail for https://files.pythonhosted.org. As a result we are no longer able to resolve remote lookups for python packages not hosted locally.
The error when I click Test on the remote repository settings page with https://files.pythonhosted.org as the hostname:
Connection to remote repository failed: Certificate for doesn't match
any of the subject alternative names:
[r.shared-319-default.ssl.fastly.net]
When I try to validate the SSL using openssl on the host linux server:
openssl s_client -connect files.pythonhosted.org:443
subject=/CN=r.shared-319-default.ssl.fastly.net
If I pass the servername flag to openssl it finds the right cert:
openssl s_client -servername files.pythonhosted.org -connect files.pythonhosted.org:443
subject=/CN=*.pythonhosted.org
How do I go about fixing this in the UI?
server: CentOS Linux release 7.7.1908 (Core)
artifactory version: EnterpriseX license 7.3.2 rev 70302900
EDIT
Appears this is most likely caused by the version of artifactory this specific instance is running. I was able to check a newer version than what this instance is running and it works correctly.
EDIT2
The system.yaml contained the following
extraJavaOpts: -Djsse.enableSNIExtension=false
this was disabling artifactory from resolving SNI enabled domains. Fixed!
I tested the reported scenario. Executing an openssl command to retrieve the certificate from the Python registry is returning certificates with a different CN apart from the expected one.
Command:
openssl s_client -showcerts -connect files.pythonhosted.org:443 </dev/null
I couldn't confirm if this is an issue with a redirect. However, executing the command to retrieve the certificate with server name in specific appears to be revealing the actual certificate for the remote site.
So, Could you please try using the following command, collect the certificate and use this certificate to replace the already amended certificates in support of this remote connection?
openssl s_client -showcerts -connect files.pythonhosted.org:443 -servername files.pythonhosted.org </dev/null
I'm not familiar with the artifactory you mentioned. But I can give you a hint on the certificate part, in general, your issue is caused by the website files.pythonhosted.org support SNI and your client-side cannot recognize the SNI support.
To check the server website ssl information, you can visit:
https://www.ssllabs.com/ssltest/analyze.html?d=files.pythonhosted.org&s=151.101.1.63
In the result, you can see a line "Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI" which means there are 2 certificates in the server, and for more explanation, you can check
https://support.cpanel.net/hc/en-us/articles/360055289933-Why-is-SSLLabs-Certificate-2-RSA-2048-bits-SHA256withRSA-No-SNI-test-showing-an-error-
And OpenSSL older version cannot handle SNI correctly as well, that's why your openssl command is not returning the expected result. Actually, the same command
openssl s_client -showcerts -connect files.pythonhosted.org:443
with OpenSSL 1.0.2k-fips on Oracle Linux 7, it returns:
r.shared-319-default.ssl.fastly.net
with OpenSSL 1.1.1 FIPS on Centos 8, it returns: *.pythonhosted.org
So the issue may be related to https://www.jfrog.com/jira/browse/HAP-556
https://www.jfrog.com/jira/si/jira.issueviews:issue-html/BI-167/BI-167.html

RStudio access from browser

I installed RStudio on Linux server Ubuntu 18.04 and I couldn't access it from browser. I used
:8787 and I got the error
This site can’t be reached
ERR_CONNECTION_TIMED_OUT
I unable firewall and still the same error. when I run
$sudo rstudio-server verify-installation
I got error
11 Jul 2020 14:53:12 [rsession-rstudio-server] ERROR system error 13 (Permission denied) [path:
/home/rstudio-server/.config/rstudio/dictionaries/custom, target-dir: ]; OCCURRED AT
rstudio::core::Error rstudio::core::FilePath::createDirectory(const string&) const
src/cpp/shared_core/FilePath.cpp:634; LOGGED FROM: std::vector<std::__cx
I am new to both Linux and Rstudio. any help to figure this problem
Thank you
Which version of RStudio Server do you use ?
I had similar problem on (1.3.959) on Ubuntu 18.04. I installed the latest from https://rstudio.com/products/rstudio/download-server/debian-ubuntu/.
wget https://download2.rstudio.org/server/bionic/amd64/rstudio-server-1.3.1056-amd64.deb
sudo gdebi rstudio-server-1.3.1056-amd64.deb
After that I also need to restart apache2.service:
systemctl restart apache2.service
$ rstudio-server version
1.3.1056 (Water Lily) for Ubuntu Bionic
And after works fine.
Also good sources:
https://community.rstudio.com/t/rstudio-server-instal-on-ubuntu-does-not-create-home-directory-home-rstudio-server/69785
https://community.rstudio.com/t/problem-rstudio-server-installed-in-ubuntu20-04/68506

WooCommerce Gateway PayPal Express Checkout requires OpenSSL >= 1.0.1

I am running OSX Sierra 10.12.5 with PHP 5.6.30 and have a local Wordpress / WooCommerce setup with the "woocommerce-gateway-paypal-express-checkout" plugin installed. I am seeing an error in the admin relating to my OpenSSL version:
WooCommerce Gateway PayPal Express Checkout requires OpenSSL >= 1.0.1 to be installed on your server
I also have other issues with cURL request to https pages, as well as the Wordpress update check not working; which I understand to be related.
In my php info, I have this entry for OpenSSL
OpenSSL support enabled
OpenSSL Library Version LibreSSL 2.2.7
OpenSSL Header Version LibreSSL 2.2.7
Openssl default config /private/etc/ssl/openssl.cnf
From the command line, the version is reported as:
openssl version
OpenSSL 0.9.8zh 14 Jan 2016
which openssl
/usr/bin/openssl
Lastly, the server environment reported by WooCommerce status is:
### Server Environment ###
Server Info: Apache/2.4.25 (Unix) LibreSSL/2.2.7 PHP/5.6.30
PHP Version: 5.6.30
PHP Post Max Size: 8 MB
PHP Time Limit: 31
PHP Max Input Vars: 1000
cURL Version: 7.51.0
SecureTransport
I am at a loss as to how to fix this. I understand that the LibreSSL is a branch of OpenSSL, and is more secure. I have searched for a solution, and several seem to suggest running brew install openssl and then brew upgrade openssl. This doesn't seem to fix the problem. I know there are several similar or related questions, but most of the responses were either a couple of years old, or seemed to cause other problems.
I have several machines with this problem and would really like to get a better understanding for what is going wrong.

Ubuntu Server 16.04 with dropbear

Trying to get Dropbear to work with Ubuntu Server 16.04 to enable for remote disk decryption to.
I am following this tutorial
But failing at this step: sudo cp /etc/initramfs-tools/root/.ssh/id_rsa ~/id_rsa_dropbear
as the file: /etc/initramfs-tools/root/.ssh/id_rsa dose not exit on Ubuntu Server 16.04.
Any help would be great.
Thanks
alexis
Manage to figure it out in the end. I ended up writing a blog post about it here Unlocking Ubuntu Server 16 encrypted LUKS using Dropbear SSH. The post I wrote is very heavily based from the answer I found here SSH to decrypt encrypted LVM during headless server boot? and all did was change the version 16 specific parts.
cheers
alexis

Resources