Best Practices 03-02-2016

OpenSSL Patches Seven Security Vulnerabilities

Jason Sabin

Yesterday morning, OpenSSL released two patches—versions 1.0.2g and 1.0.1s—for seven new security vulnerabilities that were found in OpenSSL versions 1.0.1 and 1.0.2. These patches fix one “high” severity and six “low” severity vulnerabilities.

One High Severity Vulnerability

The explained that the high severity vulnerability known as is "a cross-protocol attack" that can "lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle."

Best Course of Action:

System admins should update their instances of OpenSSL:

  • OpenSSL 1.0.1 users should upgrade to version 1.0.1s.
  • OpenSSL 1.0.2 users should upgrade to version 1.0.2g.

Source code for both OpenSSL patches is available at.

Other Options:

They provided the following additional options for mitigating the DROWN attack:

  • Disable the SSL v2 protocol on all SSL/TLS servers.
  • Disable all SSL v2 ciphers, but must have applied OpenSSL patches 1.0.1r or 1.0.2f.

Six Low Severity Vulnerabilitie

The low severity vulnerabilities affect versions 1.0.1 and 1.0.2. The low severity vulnerabilities are as follows:

  • Double-free in DSA code (CVE-2016-0705)
  • Memory leak in SRP database lookups (CVE-2016-0798)
  • BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
  • Fix memory issues in BIO_*printf functions (CVE-2016-0799)
  • Side channel attack on modular exponentiation (CVE-2016-0702)

System admins should update their instances of OpenSSL:

  • OpenSSL 1.0.1 users should upgrade to version 1.0.1s.
  • OpenSSL 1.0.2 users should upgrade to version 1.0.2g.

Source code for both OpenSSL patches is available at.

Reminder to Upgrade to OpenSSL 1.0.2

Remember, OpenSSL is planning to stop support for OpenSSL 1.0.1 on December 31, 2016. If you are running an instance of OpenSSL 1.0.1, start making plans today to upgrade to the latest version of OpenSSL 1.0.2.

Making Sure Your OpenSSL is Secure

The OpenSSL community is made up of devoted researchers and security experts, who work with other online providers and open source developers. This community is committed to making sure that your “supported” OpenSSL releases are secure. I have yet to hear my IT department shout “Yes! Another OpenSSL Patch to install.” But we would much rather have the OpenSSL community finding and fixing the vulnerabilities in the OpenSSL framework before an attacker stumbles across them. That is why it is important to take the time to install the latest OpenSSL patches to keep your OpenSSL code secure.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

12-04-2024

How artificial intelligence is reshaping digital trust

01-23-2025

Meeting compliance standards with ® TrustCore SDK

pkilint and the path to interoperable, quantum-safe PKI