AnsweredAssumed Answered

How does determine OpenSSL version?

Question asked by Rachel Parker on Nov 22, 2016
Latest reply on Dec 7, 2016 by Rachel Parker

How does determine if a server has patched for the CVE-2016-2107 vulnerability?  I believe my websites are incorrectly showing as being vulnerable.  I'd rather not post an example website if at all possible.



A "Test your server" run from reports that my websites are vulnerable to

OpenSSL Padding Oracle vuln.


I believe this is due to the way Red Hat machines handle versioning.  The initially installed package is always reported, and the change log must mined to find the latest patches and bug fixes.



Here is what you get when you ask the server for its openssl version:


[root@~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013


However, when the change log is checked, it is clear this server has the fix for CVE-2016-2107:


[root@ ~]# rpm -qa --changelog openssl | grep 2107
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC


We sometimes have customers running our sites through this tool and would like a way for me to have our
sites show up correctly.