Security Alert (A15-12-02): Multiple Vulnerabilities in OpenSSL


 

Published on: 04 December 2015

  
  

Description:

Multiple vulnerabilities are found in the OpenSSL library. A remote attacker could exploit a memory leak problem or launch denial of service attack exploiting a NULL pointer dereference problem in OpenSSL.


Affected Systems:

  • OpenSSL versions 0.9.8zg, 1.0.0s, 1.0.1p, 1.0.2d and before
  • Any systems such as operating systems, web servers, VPN gateways or appliances using affected OpenSSL libraries

Impact:

Successful exploitation could lead to a denial of service condition.


Recommendation:

Related vulnerabilities are fixed in OpenSSL 0.9.8zh, 1.0.0t, 1.0.1q and 1.0.2e. Users with systems such as HTTPS protected websites or SSL-VPN gateways using OpenSSL to encrypt network traffic should check with their product vendors if the vulnerable OpenSSL versions are used and if so, upgrade to the fixed versions or follow the recommendations provided by the product vendors to mitigate the risk.


The OpenSSL Software Foundation announced that support for OpenSSL 0.9.8 and 1.0.0 will be ceased after 31 Dec 2015, no security updates for 0.9.8 and 1.0.0 will be provided after that. Users should consider upgrading to the latest versions of 1.0.1 or 1.0.2, or contact their product vendors for support.

More Information:

https://www.openssl.org/news/secadv/20151203.txt
https://www.us-cert.gov/ncas/current-activity/2015/12/03/OpenSSL-Patches-Multiple-Vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193 (to CVE-2015-3196)



Tag: OpenSSL
Tags