Bug 56596 - OpenSSL 1.0.1g is vulnerable to a man-in-the-middle attack
OpenSSL 1.0.1g is vulnerable to a man-in-the-middle attack
Status: RESOLVED FIXED
Product: Tomcat Native
Classification: Unclassified
Component: Library
1.1.30
PC All
: P2 critical with 58 votes (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2014-06-05 22:27 UTC by Bhupesh Saini
Modified: 2014-07-07 08:41 UTC (History)
6 users (show)



Attachments
DLL for Win32 (586.62 KB, application/zip)
2014-07-01 09:48 UTC, Martin Schelldorfer
Details
DLL for x64 (629.36 KB, application/zip)
2014-07-01 09:49 UTC, Martin Schelldorfer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bhupesh Saini 2014-06-05 22:27:31 UTC
Open SSL has issued a security advisory against a man-in -the-middle attack vulnerability and recommends to upgrade to open ssl version 1.0.1h
The latest Tomcat native library was build using openssl 1.0.1g.

Please create a new build with the latest open SSL version 1.0.1h to mitigate this vulnerability in tomcat native library. 

The following links describe the vulnerability - 
https://www.us-cert.gov/ncas/current-activity/2014/06/05/OpenSSL-Releases-Security-Advisory
http://www.openssl.org/news/secadv_20140605.txt
http://www.kb.cert.org/vuls/id/978508
Comment 1 Konstantin Kolinko 2014-06-24 12:47:03 UTC
See Comment 20 (and Comment 7) in issue 56363.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363#c20
Comment 2 Jeffrey.Janner 2014-06-25 15:36:36 UTC
This is CVE-2014-0224.
It's caused my rating on Qualys SSL test to drop from an A+ to an F.
Is there any way to mitigate the vulnerability?

Mladen? Any chance you could roll us out a new version pretty quickly?
Pretty please?

In the meantime, I'll see what I can do about building my own. I currently do not have the toolset required.
Comment 3 Klemen Novak 2014-06-25 21:03:33 UTC
Is there anyone working on this problem? Please fix the issue as soon as possible.

Thank you.
Comment 4 Konstantin Kolinko 2014-06-25 21:53:32 UTC
(In reply to Klemen Novak from comment #3)
> Is there anyone working on this problem?

One person, and it looks that it is not going very well.

The progress is discussed in issue 56363 and on dev mailing list.
Help is welcome.
Comment 5 Jeffrey.Janner 2014-06-25 23:01:37 UTC
I went ahead and downloaded MS Visual Studio Express today in hopes of trying to do my own build based on Mladen's instructions in Bug 56363.
Unfortunately, I'm juggling a half-dozen other time-critical projects right now, and that's as far as I've gotten.

Again, does anyone know if there is a way to mitigate the problem?  Perhaps limit the cipher list to strongest ciphers only?
Comment 6 Christopher Schultz 2014-06-27 23:45:40 UTC
Jeffrey, if you take a look at my post here (http://markmail.org/message/gex3hshaprlxcuzs), you'll find a DOS batch file that, with a few prerequisites, will download and build the 32-bit x86 openssl.exe and a statically-linked 32-bit x86 libtcnative-1.dll for you. (It downloads and builds all of the dependencies -- OpenSSL and APR, first).

I'm really only having trouble building the 64-bit flavors at this point.

My instructions were followed using a freely-downloadable Windows 8.1 VirtualBox image, so you can use and abuse it without mucking-up your own system.

Please join that thread on the dev list to discuss further. This is enough abuse of Bugzilla for now. ;)
Comment 7 Martin Schelldorfer 2014-07-01 07:11:44 UTC
I was able to build the DLL for Win32 and x64 using Visual Studio 2010.
It contains APR 1.5.1 and OpenSSL 1.0.1h 5 Jun 2014.

I tested the Win32 DLL on Tomcat 7.0.53 / Windows Server 2003 and it's working fine.

I can provide the DLLs (Win32 and x64) for further testing, if somebody is interested.
Comment 8 Klemen Novak 2014-07-01 07:58:47 UTC
Martin Schelldorfer is will test them. Please provide me with link. Thank you.

I will test them with tomcat 6 and 7 on windows 2008 R2 and then try with SSLLabs.
Comment 9 Martin Schelldorfer 2014-07-01 09:48:24 UTC
Created attachment 31776 [details]
DLL for Win32

DLL for Win32
APR 1.5.1 and OpenSSL 1.0.1h 5 Jun 2014
Comment 10 Martin Schelldorfer 2014-07-01 09:49:02 UTC
Created attachment 31777 [details]
DLL for x64

DLL for x64
APR 1.5.1 and OpenSSL 1.0.1h 5 Jun 2014
Comment 11 Martin Schelldorfer 2014-07-01 09:50:08 UTC
DLLs for Win32/x64

APR 1.5.1 and OpenSSL 1.0.1h 5 Jun 2014
Comment 12 Mark Thomas 2014-07-01 12:35:23 UTC
There appear to be a couple of problems with those DLLs.

The depends tool reports that:
- the 32-bit DLL depends on 64-bit libraries
- the 64-bit DLL depends the MS Visual C runtime msvcr100.dll

There a a few hoops that need to be jumped through to build these DLLs 'correctly' (i.e. with the same minimal dependencies as the ASF versions). Good progress has been made documenting these hoops in the last few days. The latest information can be found on the wiki:
http://wiki.apache.org/tomcat/BuildTcNativeWin

I've just got the build environment set up and I am about to start building the various versions (IA64, AMD64, X86) of OpenSSL and APR. I'll be updating the Wiki as I go along.
Comment 13 Mark Thomas 2014-07-01 14:56:12 UTC
(In reply to Mark Thomas from comment #12)
> There appear to be a couple of problems with those DLLs.
> 
> The depends tool reports that:
> - the 32-bit DLL depends on 64-bit libraries

That looks like incorrect analysis by the depends tool. I see the same for the 32-bit DLL I built.

> - the 64-bit DLL depends the MS Visual C runtime msvcr100.dll

This still looks like an issue though
Comment 14 Mark Thomas 2014-07-01 14:57:19 UTC
I have built x86 and x64 versions using what should be pretty much the same toolchain as is used for the releases. The results can be obtained from:
http://people.apache.org/~markt/dev/tomcat-native-1.1.31-dev/

I've performed a quick smoke test and they seem OK but further testing would be appreciated.
Comment 15 Martin Schelldorfer 2014-07-01 15:13:41 UTC
(In reply to Mark Thomas from comment #14)
> I have built x86 and x64 versions using what should be pretty much the same
> toolchain as is used for the releases. The results can be obtained from:
> http://people.apache.org/~markt/dev/tomcat-native-1.1.31-dev/
> 
> I've performed a quick smoke test and they seem OK but further testing would
> be appreciated.

I tested your 1.1.32-dev x86 DLL on Tomcat 7.0.53 / Windows Server 2003. It's working fine for me.
Comment 16 Klemen Novak 2014-07-02 06:17:59 UTC
Hi,

I tested Mark Thomas version and it works on my servers. Windows 2008 R2 x64, Tomcat 7.0.54 x64.

I also tested the server with SSLLabs and its ok.

I works fine.
Comment 17 Mark Thomas 2014-07-07 08:41:53 UTC
1.1.31 has been released (it may take up to 24 hours to reach all the mirrors) and the Windows binaries were built with OpenSSL 1.0.1h.

The formal release announcement is expected tomorrow once the new version has replicated to the mirrors.