AnswerBun.com

How to fix OpenSSL Padding Oracle vulnerability (CVE-2016-2107) for nginx on debian jessie?

Server Fault Asked by allo on December 26, 2020

As far as i understood, it should be sufficient to upgrade openssl (done a long time ago, now installed all available updates again (no openssl there)) and restart nginx.
I even tried to stop nginx fully (verified it with ps) and start it again.

But ssllabs still tells me, that i am vulnerable. What else do i need to do, or what can be causing that its still vulnerable?

versions:

ii  nginx                              1.9.10-1                          all          small, powerful, scalable web/proxy server
ii  nginx-common                       1.9.10-1                          all          small, powerful, scalable web/proxy server - common files
ii  nginx-full                         1.9.10-1                          amd64        nginx web/proxy server (standard version)
ii  openssl                            1.0.1t-1+deb8u2                   amd64        Secure Sockets Layer toolkit - cryptographic utility

ii  libssl-dev:amd64                   1.0.1t-1+deb8u2                   amd64        Secure Sockets Layer toolkit - development files
ii  libssl-doc                         1.0.1t-1+deb8u2                   all          Secure Sockets Layer toolkit - development documentation
ii  libssl1.0.0:amd64                  1.0.1t-1+deb8u2                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.0.2:amd64                  1.0.2f-2                          amd64        Secure Sockets Layer toolkit - shared libraries

lsof related to nginx

lsof 2>/dev/null |grep -i libssl|grep nginx
nginx     17928              root  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx     17929          www-data  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx     17930          www-data  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx     17932          www-data  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx     17933          www-data  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2

3 Answers

I got it.

I installed certbot from debian unstable, which installed 1.0.2f-2. unstable is pinned to priority "-100" (do not install from unstable unless requested with -t unstable). This means the version is between the jessie version 1.0.0X-Y and the current unstable version 1.0.2.h-1. This prevented an upgrade to the next version in unstable, while the upgrade in stable is an "older" version with respect to the version number.

Correct answer by allo on December 26, 2020

Installing the necessary updates ( as suggested by https://serverfault.com/users/126632/michael-hampton in the comments ) seems to fix the issue for me.

apt-get update && apt-get upgrade

Answered by drinchev on December 26, 2020

I had a similar issue on a Debian Wheezy Server. https://www.ssllabs.com/ssltest/ always showed that my server was vulnerable to CVE-2016-2107. Other servers ,with (in my opinion) same config, did not have this security issue.

openssl, apache, php - all the same versions and same config.

After some investigation i found out that mod_spdy was installed and activated on this particular server.

After uninstalling mod_spdy the issue was solved.

dpkg -r mod-spdy-beta 
dpkg -P mod-spdy-beta

from https://stackoverflow.com/questions/25593257/how-do-i-remove-spdy-mod-spdy

Answered by Martin Seitl on December 26, 2020

Add your own answers!

Related Questions

Docker compose errror when mounting the volumes

2  Asked on December 20, 2021 by zetacu

   

Domain Admin can not take ownership of files

2  Asked on December 20, 2021 by myles-rowley

   

NGINX – Only proxy a specific URL

1  Asked on December 20, 2021 by egyas

     

Assign a dedicated NIC to a KVM guest only

0  Asked on December 18, 2021 by nicapicella

   

Tasks Scheduler Windows High Availability

1  Asked on December 18, 2021 by julien-merice

       

MDB2, Pear, Mysql error

1  Asked on December 18, 2021 by kyle-hudson

   

Creating a Static IP With wlan0

4  Asked on December 18, 2021 by nmagerko

   

nginx mime types and gzip

2  Asked on December 18, 2021 by tompave

   

Golang – Nginx proxy pass issue

1  Asked on December 18, 2021 by arunkolhapur

   

Ask a Question

Get help from others!

© 2022 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir