On the 3rd of December the OpenSSL project made security updates available for the following versions of OpenSSL:
- OpenSSL 0.9.8zh: 1x CVE (defined) resolved: Moderate severity
- OpenSSL 1.0.0t: 2x CVEs resolved: 1x moderate severity, 1x low severity
- OpenSSL 1.0.1q: 2x CVEs resolved: 2x moderate severity
- OpenSSL 1.0.2e: 3x CVEs resolved: 3x moderate severity
Why Should These Issues Be Considered Important?
OpenSSL versions 1.0.1 and 1.0.2 are vulnerable to a moderate Denial of Service (DoS)(defined) attack which can affect both client and servers which perform certificate verification.
OpenSSL versions 1.0.0, 1.0.1 and 1.0.2 are vulnerable to a low severity race condition (see Aside below for a definition) which can result in a double free (use after free issues are defined here) of the identity hint data.
Moreover, all versions of OpenSSL are vulnerable to a moderate issues resulting from a memory leak when a malformed X509_ATTRIBUTE structure is presented.
Finally, and most importantly it should be noted that OpenSSL 0.9.8 and 1.0.0 will no longer receive security updates after the 31st of December this year. As mentioned by the OpenSSL team in the absence of significant security issues with the most recent updates for these versions, those updates will be the last to be created for them.
If you or your organization, make use of any software that uses these older versions of OpenSSL you are strongly advised to upgrade to the newer versions 1.0.1 (which will be supported until the end of 2016) or 1.0.2 (will be supported until the end of 2019). These dates were provided by the OpenSSL team within their Release Strategy page.
How can I protect myself from this issue?
For any server that you manage that uses OpenSSL, please update your OpenSSL installations to 0.9.8zh, 1.0.0t, 1.0.1q or 1.0.2e (as appropriate).
- FTP mirrors to obtain the necessary downloads are available from here.
- Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.
It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation.
What is a race condition?
If two or more applications/entities try to complete/carry out a task or make a change to the data contained within one object at exactly the same time; an unusual/invalid outcome can happen if the task/change does not happen in the correct order.
My thanks to Shon Harris for inspiring this definition from her book “CISSP All-in-One Exam Guide, 6th Edition” (McGraw-Hill Osborne, 2013).