Multiple vulnerabilities are found in the OpenSSL library. A remote attacker could downgrade a vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography and perform man-in-the-middle attack (known as Logjam attack). A remote attacker could also launch denial of service attack by sending specially crafted public keys, certificate requests, certificates, PKCS#7 data or signedData messages to an affected system.
A successful attack could lead to a denial of service condition and man-in-the-middle attack.
Related vulnerabilities are fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n and 1.0.2b. Users with systems such as HTTPS protected websites or SSL-VPN gateways using OpenSSL to encrypt network traffic should be aware of the vulnerabilities and take necessary actions. They should contact their product vendors to check if vulnerable OpenSSL libraries are used and affected by the issue.
Users should follow the recommendations provided by the product vendors and take immediate actions to mitigate the risk.
http://openssl.org/news/secadv_20150611.txt
https://www.openssl.org/about/releasestrat.html
https://www.hkcert.org/my_url/en/alert/15061201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8176
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1789
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1792
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000