Home » News » Multiple Vulnerabilities in OpenSSL Patched

Dated: June 12, 2015

Summary:
Various updates have been launched by OpenSSL that patch serious vulnerabilities. Exploitation of these vulnerabilities can allow any attacker to not just read but also modify the data passed over SSL connection.  These updates must be installed and patched in order to evade serious threats to confidentiality and integrity of critical data.

Description:
The vulnerabilities found in OpenSSL were of immensely serious nature. Patches have been released against the following vulnerabilities:

– DHE man in the middle attack
– Malformed ECP parameters causing infinite loop
– Exploitable out of bound read in X509_cmp_time
– PKCS7 crash with missing enveloped content
– Infinite looping problem
– Issues with handling New Session Ticket

Recommendations:
– OpenSSL 0.9.8 users shall upgrade to 0.9.8za
– OpenSSL 1.0.0 DTLS users shall upgrade to 1.0.0m
– OpenSSL 1.0.1 DTLS users shall upgrade to 1.0.1h


NUST CSIRT enourages users and administrators to have a look at OpenSSL security advisory [1] for more details.

References:
[1]. https://www.openssl.org/news/secadv_20150611.txt



Subscribe To Alerts

Name
Email *




Opera Mobile Store