ISC StormCast for Friday, April 20th 2012 http://isc.sans.edu/podcastdetail.html?id=2479

OpenSSL Security Advisory - CVE-2012-2110

Published: 2012-04-19
Last Updated: 2012-04-19 19:41:49 UTC
by Kevin Shortt (Version: 1)
1 comment(s)

Earlier today, the OpenSSL team released a fix for a recently discovered vulnerability that exposes applications, that use certain features of OpenSSL, to a heap overflow.

Since OpenSSL is used extensively, there is much speculation and discussion about who is vulnerable.  Here are some highlights and links of the reading I've done today.  

  • UPGRADE to the latest version as soon as you can. [1]
  • The SSL/TLS code of OpenSSL is *not* affected. [1]
    Which means, OpenSSH is NOT vulnerable.
  • Read a good detailed explanation of the vulnerability by Tavis Ormandy.  [2]  
    Tavis is credited with discovering the vulnerability. 
  • If Apache is using PEM for certificates, and not parsing untrusted data, then you risks are lower. [1]

[1]  http://www.openssl.org/news/secadv_20120419.txt
[2]  http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html

Feel free to post a comment to discuss anything not spoken for in this diary.

-Kevin
--
ISC Handler on Duty

1 comment(s)
ISC StormCast for Thursday, April 19th 2012 http://isc.sans.edu/podcastdetail.html?id=2476

Comments


Diary Archives