Announcements 11-10-2016

OpenSSL Patches 3 Security Vulnerabilities in OpenSSL 1.1.0

Jason Sabin

This morning, the OpenSSL project team released the security patch 1.1.0c for three security vulnerabilities discovered in OpenSSL 1.1.0. This patches fix one “high severity,” one “moderate severity,” and one “low severity” vulnerabilities.

None of these bugs affect SSL/TLS certificates. No actions related to SSL/TLS certificate management are required.

Source code for all the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.

For a full list of vulnerabilities, see the OpenSSL Security Advisory [10 Nov 2016].

About the High Severity Vulnerability

ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)

The high severity vulnerability affects TLS connects that use the *-CHACHA20-POLY1305 cipher suites. These type of TLS connections are vulnerable to a DoS attack where the attacker sends a large corrupted payload, which could crash OpenSSL.

This issue only affects those running an instance of OpenSSL 1.1.0.

Update your instance(s) of OpenSSL:

  • OpenSSL 1.1.0 users need to upgrade to version 1.1.0c

About the Moderate Severity Vulnerability

CMS Null dereference (CVE-2016-7053)

“Applications parsing invalid CMS structures can crash with a NULL pointer dereference.” This vulnerability only affects CHOICE structures that use callbacks that cannot handle NULL value.

This issue only affects those running an instance of OpenSSL 1.1.0.

Update your instance(s) of OpenSSL:

  • OpenSSL 1.1.0 users need to upgrade to version 1.1.0c

About the Low Severity Vulnerability

Montgomery multiplication may produce incorrect results (CVE-2016-7055)

“Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation.”

This issue only affects those running an instance of OpenSSL 1.1.0 and 1.0.2.*

*Note: Although this bug is also found in OpenSSL 1.0.2, the severity of the issue and likelihood of it being exploited are so low that OpenSSL will patch it in the next 1.0.2 release.

Update your instance(s) of OpenSSL:

  • OpenSSL 1.1.0 users need to upgrade to version 1.1.0c

Support for OpenSSL 1.0.1 Ends Soon

Support for OpenSSL 1.0.1 will end on December 31, 2016. The OpenSSL community will no longer issue security updates for 1.0.1 after that date. If you are still running an instance of OpenSSL 1.0.1, make plans now to upgrade to the latest version of OpenSSL 1.1.0 (recommended) or 1.0.2 before 2016 ends.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

12-04-2024

How artificial intelligence is reshaping digital trust

12-18-2024

Announcing the new open-source DCV library from DigiCert

How to spot a fraudulent website