Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: OpenSSL Security Advisory - CVE-2012-2110 - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenSSL Security Advisory - CVE-2012-2110

Earlier today, the OpenSSL team released a fix for a recently discovered vulnerability that exposes applications, that use certain features of OpenSSL, to a heap overflow.

Since OpenSSL is used extensively, there is much speculation and discussion about who is vulnerable.  Here are some highlights and links of the reading I've done today.  

  • UPGRADE to the latest version as soon as you can. [1]
  • The SSL/TLS code of OpenSSL is *not* affected. [1]
    Which means, OpenSSH is NOT vulnerable.
  • Read a good detailed explanation of the vulnerability by Tavis Ormandy.  [2]  
    Tavis is credited with discovering the vulnerability. 
  • If Apache is using PEM for certificates, and not parsing untrusted data, then you risks are lower. [1]


Feel free to post a comment to discuss anything not spoken for in this diary.

ISC Handler on Duty

Kevin Shortt

85 Posts
ISC Handler
Apr 19th 2012
Seems to be a nice fun fact that this isn't all that new!/mdowd/status/192986878138523648

Sign Up for Free or Log In to start participating in the conversation!