Php – How To Fix Padding Oracle (CVE-2016-2107) On Ubuntu/Apache/PHP

apache-2.4opensslPHPvulnerability

I am trying to fix CVE-2016-2107.

I consulted several sites, which do not seem to provide a clear answer for all cases:

I use Apache2 2.4.12 with PHP 5.5.26.

I ran: apt-get install openssl libssl-dev and sudo apt-get install libssl1.0.0.

It installed new OpenSSL but Apache/PHP still uses old installation, phpinfo() shows:

openssl
OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1f 6 Jan 2014
OpenSSL Header Version OpenSSL 1.0.1f 6 Jan 2014

Proof new OpenSSL is installed:

ubuntu@ip-xxxxx:/usr/bin$ openssl version
OpenSSL 1.0.2h 3 May 2016

dpkg -l | grep ssl
ii libflac8:amd64 1.3.0-2ubuntu0.14.04.1 amd64 Free Lossless Audio Codec - runtime C library
ii libgnutls-openssl27:amd64 2.12.23-12ubuntu2.2 amd64 GNU TLS library - OpenSSL wrapper
ii libio-socket-ssl-perl 1.965-1ubuntu1 all Perl module implementing object oriented interface to SSL sockets
ii libnet-smtp-ssl-perl 1.01-3 all Perl module providing SSL support to Net::SMTP
ii libnet-ssleay-perl 1.58-1 amd64 Perl module for Secure Sockets Layer (SSL)
ii libssl-dev:amd64 1.0.2h-1+deb.sury.org~trusty+1 amd64 Secure Sockets Layer toolkit - development files
ii libssl-doc 1.0.1f-1ubuntu2.15 all Secure Sockets Layer toolkit - development documentation
ii libssl1.0.0:amd64 1.0.1f-1ubuntu2.19 amd64 Secure Sockets Layer toolkit - shared libraries
ii libssl1.0.2:amd64 1.0.2h-1+deb.sury.org~trusty+1 amd64 Secure Sockets Layer toolkit - shared libraries
ii openssl 1.0.2h-1+deb.sury.org~trusty+1 amd64 Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.13-2ubuntu6 amd64 Python 2 wrapper around the OpenSSL library
ii ssl-cert 1.0.33 all simple debconf wrapper for OpenSSL

apt-cache policy libssl1.0.2.
libssl1.0.2-dbg:
Installed: (none)
Candidate: 1.0.2h-1+deb.sury.org~trusty+1
Version table:
1.0.2h-1+deb.sury.org~trusty+1 0
500 http://ppa.launchpad.net/ondrej/php5/ubuntu/ trusty/main amd64 Packages

ubuntu@ip-xxxxx:/usr/bin$ apt-cache policy libssl-dev
libssl-dev:
Installed: 1.0.2h-1+deb.sury.org~trusty+1
Candidate: 1.0.2h-1+deb.sury.org~trusty+1
Version table:
*** 1.0.2h-1+deb.sury.org~trusty+1 0
500 http://ppa.launchpad.net/ondrej/php5/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
1.0.1f-1ubuntu2.19 0
500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
1.0.1f-1ubuntu2 0
500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Can someone please help me tell Apache/PHP about the new OpenSSL installation? Thanks!

Best Answer

I think that you are using old PHP 5.5 which linked with old SSL libraries. So current SSL libraries not used. You can try to upgrade PHP packages too.

Related Topic