Another set of vulnerabilities has been found in openssl, and we encourage all users to upgrade openssl using official patches from your OS vendor. Details of the vulnerabilities are available on the official openssl website at the URL below:
https://www.openssl.org/news/secadv_20140605.txt
Links from Vendors:
Redhat: EL6 https://rhn.redhat.com/errata/RHSA-2014-0625.html
Redhat: EL5 https://rhn.redhat.com/errata/RHSA-2014-0624.html
Centos: http://lists.centos.org/pipermail/cento ... 20344.html
Debian: https://lists.debian.org/debian-securit ... 00129.html
Ubuntu: http://www.ubuntu.com/usn/usn-2232-1/
Heres a summary of the issues:
* There are MITM, Potential Code Injection and DOS vulnerabilities in unpatched versions of OpenSSL.
* EL5 uses openssl 0.9.8 and EL6 uses 1.0.x.
* The MITM vulnerability only affects servers that run OpenSSL 1.0.1 but all clients.
* To exploit the MITM vulnerability both the client and server have to be using vulnerable versions of openssl
* The MITM vulnerability effects EL6 systems only, not EL5. EL5 uses an older version of openssl.
* The code injection vulnerability does not effect systems using the ASL kernel, they are immune.
* The DOS vulnerabilities effect only clients, and servers with non-standard configurations
* If you use OpenVPN, its "auth-tls" feature will likely mitigate the MITM vulnerabilities for OpenVPN
OpenSSL vulnerabilities
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
OpenSSL vulnerabilities
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone