Security Alert (A16-09-07): Multiple Vulnerabilities in OpenSSL


 

Published on: 23 September 2016

Last update on: 27 September 2016

  
  

Description:

Multiple vulnerabilities are found in the OpenSSL library. An attacker could keep sending requests to the affected server using OpenSSL and cause unbounded memory growth, leading to denial of service.

Any servers running the affected OpenSSL versions with a default configuration are vulnerable. However, those builds using the "no-ocsp" build time option are not vulnerable.


Affected Systems:

  • OpenSSL versions prior to 1.0.1u, 1.0.2j and 1.1.0b

Impact:

Successful exploitation could lead to denial of service.


Recommendation:

Related vulnerabilities are fixed in OpenSSL 1.0.1u, 1.0.2j and 1.1.0b. Users with systems such as HTTPS protected websites or SSL-VPN gateways using OpenSSL to encrypt network traffic should check with their product vendors if the vulnerable OpenSSL versions are used and if so, upgrade to the fixed versions or follow the recommendations provided by the product vendors to mitigate the risk.


Please also note that the OpenSSL Software Foundation announced that support for OpenSSL 1.0.1 will be ceased after 31 December 2016 and no security updates will be provided after that. Users should arrange upgrading to the latest versions.

More Information:

https://www.openssl.org/news/secadv/20160922.txt
https://www.openssl.org/news/secadv/20160926.txt
https://www.openssl.org/source/
https://www.hkcert.org/my_url/en/alert/16092301
https://www.us-cert.gov/ncas/current-activity/2016/09/23/OpenSSL-Releases-Security-Updates
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6306
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6309
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7052



Tag: OpenSSL
Tags