Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: OpenSSL Releases OpenSSL 1.0.1j, 1.0.0o and 0.9.8zc - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenSSL Releases OpenSSL 1.0.1j, 1.0.0o and 0.9.8zc

This update to the OpenSSL Library addresses 4 vulnerabilities. One of these is the "POODLE" vulnerability announced yesterday.

CVE-2014-3513: A memory leak in parsing DTLS SRTP messages can lead to a denial of service. You are vulnerable, unless you specificly compiled your OpenSSL library with the "OPENSSL_NO_SRTP" option. All 1.0.1 versions of OpenSSL are affected.

CVE-2014-3567: Another memory leak that can lead to a DoS attack. In this case, memory is not free up if an SSL session ticket fails an integrity check. OpenSSL 0.9.8, 1.0.0 and 1.0.1 are affected.

CVE-2014-3566 (POODLE): OpenSSL now supports TLS_FALLBACK_SCSV to prevent a MitM from downgrading an SSL connection. This affects OpenSSL 1.0.1, 1.0.0 and 0.9.8.

CVE-2014-3568: The "no-ssl3" build option, which is intended to disable SSLv3, may actually not work as advertised. This one is of course particularly important if you try to disable SSLv3.

Also, OpenSSL 0.9.8 is now officially end-of-life. Don't expect any more patches for 0.9.8.

Johannes B. Ullrich, Ph.D.

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4475 Posts
ISC Handler
Oct 15th 2014

Sign Up for Free or Log In to start participating in the conversation!