OpenSSL Patch Released
As pre-announced, OpenSSL today released an update fixing 14 security flaws [1]. The good news: The only "high" vulnerability is present in the recently release version 1.0.2, which as far as I know is not yet used in any major operating system. But numerous of the "medium" vulnerabilities do have code execution potential (e.g. "memory corruption" issues), so do not delay patching too much. To answer your boss's first question: "No. This is not as bad as heartbleed".
This update affects all versions of SSL back to 0.9.8. See the table below for exact version numbers
| Major Version | Last Vulnerable | Patched | Max. Severity | OS/Linux Distro Affected |
|---|---|---|---|---|
| 1.0.2 | 1.0.2 | 1.0.2a | high | |
| 1.0.1 | 1.0.1l | 1.0.1m | moderate | Ubuntu 14, CentOS 6, CentOS 6, RHEL 6, RHEL 7, OS X 10.10 |
| 1.0.0 (End of Live Dec 2015) | 1.0.0q | 1.0.0r | moderate | Ubuntu 12 |
| 0.9.8 (End of Live Dec 2015) | 0.9.8ze | 0.9.8zf | moderate | CentOS 5, RHEL 5 |
(the list of operating systems / linux distributions attempts to capture major versions and is not complete)
Summary of vulnerabilities
For many of the announcements, the impact is not clearly stated. Also note that some vulnerabilities only apply to stand alone scripts (e.g. during signing / encrypting files or verifying certificates loaded from files) and not to network clients or servers.
| CVE | Description | Impact | OpenSSL Versions Affected | Rating | Server/ Client |
|---|---|---|---|---|---|
| CVE-2015-0291 | ClientHello sigalgs DoS | DoS | 1.0.2 | High | Server |
| CVE-2015-0204 | RSA silently downgrades to EXPORT_RSA (FREAK). [this is a re-release to adjust rating from low to high, not a new issue] |
MitM | 1.0.1, 1.0.0, 0.9.8 | High | Server/Client |
| CVE-2015-0290 | Multiblock corrupted pointer (64bit x86 CPUs that support AES NI instructions) | DoS | 1.0.2 | Moderate | Server/Client |
| CVE-2015-0207 | Segmentation fault in DTLSv1_listen | DoS | 1.0.2 | Moderate | Server |
| CVE-2015-0286 | Segmentation fault in ASN1_TYPE_cmp | DoS | 1.0.2, 1.0.1,1.0.0, 0.9.8 | Moderate | Server/Client |
| CVE-2015-0208 | Segmentation fault for invalid PSS parameters | DoS | 1.0.2 | Moderate | Server/Client |
| CVE-2015-0287 | ASN.1 structure reuse memory corruption | ? | 1.0.2, 1.0.1, 1.0.0, 0.9.8 | Moderate | neither |
| CVE-2015-0289 | PKCS7 NULL Pointer dereferences | ? | 1.0.2, 1.0.1, 1.0.0, 0.9.8 | Moderate | Server/Client |
| CVE-2015-0292 | Base64 decode | ? | 1.0.1, 1.0.0, 0.9.8 | Moderate | ? |
| CVE-2015-0293 | DoS via reachable assert in SSLv2 servers | DoS | 1.0.2, 1.0.1, 1.0.0, 0.9.8 | Moderate | Server |
| CVE-2015-1787 | Empty CKE with client auth and DHE | DoS | 1.0.2 | Moderate | Server |
| CVE-2015-0285 | Handshake with unseeded PRNG | confidentiality | 1.0.2 | Low | Client |
| CVE-2015-0209 | Use After Free following d2i_ECPrivatekey error | DoS | 1.0.2, 1.0.1, 1.0.0, 0.9.8 | Low | ? |
| CVE-2015-0288 | X509_to_X509_REQ NULL pointer deref | DoS | 1.0.2, 1.0.1, 1.0.0, 0.9.8 | Low | ? |
[1] https://www.openssl.org/news/secadv_20150319.txt
Comments