OpenSSL Update Released
As announced earlier this week, OpenSSL released an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0).
The update fixes 14 different vulnerabilities. Only one vulnerability is rated "High". This vulnerability, CVE-2016-6304, can lead to memory exhaustion and a denial of service if the client sends multiple large OCSP requests.
With this update, the latest versions of OpenSSL for the various branches are 1.0.1u, 1.0.2i and 1.1.0a. All three branches are currently supported.
The table below shows which vulnerabilities apply to each branch.
CVE | Description | Rating | 1.0.1 | 1.0.2 | 1.1.0 |
---|---|---|---|---|---|
CVE-2016-6304 | OCSP Status Request extension unbounded memory growth | High | x | x | x |
CVE-2016-6305 | SSL_peek() hang on empty record (CVE-2016-6305) | Moderate | x | ||
CVE-2016-2183 | SWEET32 Mitigation (CVE-2016-2183) | Low | x | x | |
CVE-2016-6303 | OOB write in MDC2_Update() | Low | x | x | |
CVE-2016-6302 | Malformed SHA512 ticket DoS | Low | x | x | |
CVE-2016-2182 | OOB write in BN_bn2dec() | Low | x | x | |
CVE-2016-2180 | OOB read in TS_OBJ_print_bio() (CVE-2016-2180) | Low | x | x | |
CVE-2016-2177 | Pointer arithmetic undefined behaviour (CVE-2016-2177) | Low | x | x | |
CVE-2016-2178 | Constant time flag not preserved in DSA signing | Low | x | x | |
CVE-2016-2179 | DTLS buffered message DoS | Low | x | x | |
CVE-2016-2181 | DTLS replay protection DoS | Low | x | x | |
CVE-2016-6306 | Certificate message OOB reads | Low | x | x | |
CVE-2016-6307 | Excessive allocation of memory in tls_get_message_header() | Low | x | ||
CVE-2016-6308 | Excessive allocation of memory in dtls1_preprocess_fragment() | Low | x |
---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn
Keywords:
2 comment(s)
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
×
Diary Archives
Comments
Anonymous
Sep 22nd 2016
8 years ago
OpenSSL blog at https://www.openssl.org/blog/blog/2016/08/24/sweet32/ states that "triple-DES should now be considered as “bad” as RC4".
WinXP was the last major OS that requires 3DES as it does not support AES. (There is a patch for AES support to Windows Server 2003). Time to deprecate or remove 3DES cipher support from web servers.
Blowfish is the default for OpenVPN. Wiki entry at https://community.openvpn.net/openvpn/wiki/SWEET32.
Anonymous
Sep 25th 2016
8 years ago