If you’re maintaining services on the internet, you know about the importance of keeping up to date with security patches as they come available. Today is no exception with the release of CVE-2016-0800, describing the ‘DROWN’ vulnerability in OpenSSL.
The key points of DROWN are that it can allow for passive decryption of encrypted traffic, via vulnerabilities in the obsolete SSLv2 protocol. Merely using SSLv2 for one service could cause the compromise the traffic of other services, even if they aren’t using SSLv2. More information can be found at http://www.drownattack.com/.
The Red Hat specific announcement can be found in the Red Hat Knowledgebase.
Obviously, this is a big deal, but patching your systems for DROWN doesn’t have to be a big deal, thanks to Ansible.
Here’s a sample playbook for Red Hat/Fedora/CentOS and Debian/Ubuntu systems (link to source):
- hosts: all gather_facts: true sudo: true tasks: - name: update openssl from apt if available apt: name=openssl state=latest update_cache=yes when: ansible_os_family == 'Debian' notify: restart_system - name: update openssl from yum if available yum: name=openssl state=latest update_cache=yes when: ansible_os_family == 'RedHat' notify: restart_system handlers: - name: restart_system shell: sleep 2 && shutdown -r now "Ansible updates triggered" async: 1 poll: 0 ignore_errors: true
As the DROWN vulnerability is not patched until all affected services are restarted with the updated OpenSSL package, we have a `restart_system` handler that reboots the system. You can restart individual services if you know more of your OpenSSL usage.
Note that this version merely installs the latest version of OpenSSL from your vendor. If you know the versions that are vulnerable for your OS or the versions where the fix has been applied, you can create a playbook that tests to make sure you have a correct version. Here’s an example for Red Hat Enterprise Linux systems. (Note: if you’re on a particular EUS or ELS subscription, you may need to adjust the version check. Check the Red Hat Knowledgebase for details.) (link to source)::
- hosts: all
gather_facts: true
sudo: true
vars:
vulnerable_releases:
'5': '0.9.8e-37.el5_11'
'6': '1.0.1e-42.el6_7.2'
'7': '1.0.1e-51.el7_2.2'
tasks:
- name: check for openssl version
shell: rpm -q --qf "%{VERSION}-%{RELEASE}" openssl-libs.{{ansible_architecture}}
register: openssl_version
- name: check for vulnerable versions
debug: msg="OpenSSL version is vulnerable."
when: openssl_version.stdout|version_compare(vulnerable_releases[ansible_distribution_major_version], '<=')
register: is_vuln
- name: update openssl from yum if vulnerable
yum: name=openssl-libs state=latest update_cache=yes
when: not is_vuln|skipped
notify: restart_system
register: installed
- name: check for openssl version
shell: rpm -q --qf "%{VERSION}-%{RELEASE}" openssl-libs.{{ansible_architecture}}
register: openssl_version
when: not is_vuln|skipped
- name: check that we are no longer vulnerable
debug: msg="OpenSSL version is still vulnerable!"
when: not is_vuln|skipped
failed_when: openssl_version.stdout|version_compare(vulnerable_releases[ansible_distribution_major_version], '<=')
handlers:
- name: restart_system
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
ignore_errors: true
Note that if you have a Red Hat Satellite server in your environment, you’ll need to ensure that your nightly package sync has run and has the latest openssl packages.
Want to remediate DROWN, but haven’t used Ansible before?Getting started is easy
