Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: OpenSSL Releases OpenSSL 1.0.1j, 1.0.0o and 0.9.8zc SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenSSL Releases OpenSSL 1.0.1j, 1.0.0o and 0.9.8zc

This update to the OpenSSL Library addresses 4 vulnerabilities. One of these is the "POODLE" vulnerability announced yesterday.

CVE-2014-3513: A memory leak in parsing DTLS SRTP messages can lead to a denial of service. You are vulnerable, unless you specificly compiled your OpenSSL library with the "OPENSSL_NO_SRTP" option. All 1.0.1 versions of OpenSSL are affected.

CVE-2014-3567: Another memory leak that can lead to a DoS attack. In this case, memory is not free up if an SSL session ticket fails an integrity check. OpenSSL 0.9.8, 1.0.0 and 1.0.1 are affected.

CVE-2014-3566 (POODLE): OpenSSL now supports TLS_FALLBACK_SCSV to prevent a MitM from downgrading an SSL connection. This affects OpenSSL 1.0.1, 1.0.0 and 0.9.8.

CVE-2014-3568: The "no-ssl3" build option, which is intended to disable SSLv3, may actually not work as advertised. This one is of course particularly important if you try to disable SSLv3.

Also, OpenSSL 0.9.8 is now officially end-of-life. Don't expect any more patches for 0.9.8.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Winter 2019

Johannes

3677 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!