OpenSSL Patch Released
As pre-announced, OpenSSL today released an update fixing 14 security flaws [1]. The good news: The only "high" vulnerability is present in the recently release version 1.0.2, which as far as I know is not yet used in any major operating system. But numerous of the "medium" vulnerabilities do have code execution potential (e.g. "memory corruption" issues), so do not delay patching too much. To answer your boss's first question: "No. This is not as bad as heartbleed".
This update affects all versions of SSL back to 0.9.8. See the table below for exact version numbers
Major Version | Last Vulnerable | Patched | Max. Severity | OS/Linux Distro Affected |
---|---|---|---|---|
1.0.2 | 1.0.2 | 1.0.2a | high | |
1.0.1 | 1.0.1l | 1.0.1m | moderate | Ubuntu 14, CentOS 6, CentOS 6, RHEL 6, RHEL 7, OS X 10.10 |
1.0.0 (End of Live Dec 2015) | 1.0.0q | 1.0.0r | moderate | Ubuntu 12 |
0.9.8 (End of Live Dec 2015) | 0.9.8ze | 0.9.8zf | moderate | CentOS 5, RHEL 5 |
(the list of operating systems / linux distributions attempts to capture major versions and is not complete)
Summary of vulnerabilities
For many of the announcements, the impact is not clearly stated. Also note that some vulnerabilities only apply to stand alone scripts (e.g. during signing / encrypting files or verifying certificates loaded from files) and not to network clients or servers.
CVE | Description | Impact | OpenSSL Versions Affected | Rating | Server/ Client |
---|---|---|---|---|---|
CVE-2015-0291 | ClientHello sigalgs DoS | DoS | 1.0.2 | High | Server |
CVE-2015-0204 | RSA silently downgrades to EXPORT_RSA (FREAK). [this is a re-release to adjust rating from low to high, not a new issue] |
MitM | 1.0.1, 1.0.0, 0.9.8 | High | Server/Client |
CVE-2015-0290 | Multiblock corrupted pointer (64bit x86 CPUs that support AES NI instructions) | DoS | 1.0.2 | Moderate | Server/Client |
CVE-2015-0207 | Segmentation fault in DTLSv1_listen | DoS | 1.0.2 | Moderate | Server |
CVE-2015-0286 | Segmentation fault in ASN1_TYPE_cmp | DoS | 1.0.2, 1.0.1,1.0.0, 0.9.8 | Moderate | Server/Client |
CVE-2015-0208 | Segmentation fault for invalid PSS parameters | DoS | 1.0.2 | Moderate | Server/Client |
CVE-2015-0287 | ASN.1 structure reuse memory corruption | ? | 1.0.2, 1.0.1, 1.0.0, 0.9.8 | Moderate | neither |
CVE-2015-0289 | PKCS7 NULL Pointer dereferences | ? | 1.0.2, 1.0.1, 1.0.0, 0.9.8 | Moderate | Server/Client |
CVE-2015-0292 | Base64 decode | ? | 1.0.1, 1.0.0, 0.9.8 | Moderate | ? |
CVE-2015-0293 | DoS via reachable assert in SSLv2 servers | DoS | 1.0.2, 1.0.1, 1.0.0, 0.9.8 | Moderate | Server |
CVE-2015-1787 | Empty CKE with client auth and DHE | DoS | 1.0.2 | Moderate | Server |
CVE-2015-0285 | Handshake with unseeded PRNG | confidentiality | 1.0.2 | Low | Client |
CVE-2015-0209 | Use After Free following d2i_ECPrivatekey error | DoS | 1.0.2, 1.0.1, 1.0.0, 0.9.8 | Low | ? |
CVE-2015-0288 | X509_to_X509_REQ NULL pointer deref | DoS | 1.0.2, 1.0.1, 1.0.0, 0.9.8 | Low | ? |
[1] https://www.openssl.org/news/secadv_20150319.txt
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Anonymous
Mar 19th 2015
9 years ago
:-|
.
Anonymous
Mar 19th 2015
9 years ago
Welcome to the OpenSSL Project
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
quoted directly from http://openssl.org/
Anonymous
Mar 19th 2015
9 years ago
Anonymous
Mar 19th 2015
9 years ago
Anonymous
Mar 19th 2015
9 years ago
:-|
.[/quote]
OpenSSL is a library that implements SSL as well as TLS. So don't let the name fool you.
Anonymous
Mar 19th 2015
9 years ago
- https://www.ssllabs.com/
- https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/03/03/top-10-vulnerabilities--february-2015
... I get the feeling the process/changeover/implementation has a -long- way to go.
:-|
.
Anonymous
Mar 19th 2015
9 years ago
(and yes I understand that it is EOS)
Anonymous
Mar 20th 2015
9 years ago