This special report is an analysis of the openssl vulnerabilties released today. Please see this forum post for an explanation of the categories used in this report.
CVEs are sometimes created after a vulnerability is published (sometimes far after it has been made public). When CVEs are referenced, it is because a CVE was created today, not because an issue was resolved today, and it is included here for reference.
ASL users
Summary: ASL users may want to upgrade openssl, but the most severe vulnerabilities are eliminated by ASL by default.
Already protected against/Known Method/No update required
BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) - ASL disables SSLv2 and weak ciphers on the system by default
Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) - ASL disables SSLv2 and weak ciphers on the system by default
Bleichenbacher oracle in SSLv2 (CVE-2016-0704) - ASL disables SSLv2 and weak ciphers on the system by default
Not already protected against/New Method/Update Available
None.
Not already protected against/Doesnt protect against/Solution
Patches are available from vendors for these issues:
Side channel attack on modular exponentiation (CVE-2016-0702) - This is a low risk vulnerability
Memory leak in SRP database lookups (CVE-2016-0798) - This is a low risk vulnerability
Potential Vulnerability/Solution
Fix memory issues in BIO_*printf functions (CVE-2016-0799) - This is likely not exploitable on a system running the ASL kernel, and presents a low risk vulnerability. Patches are available from the vendor.
Rules only users
Summary: Rules only users should upgrade openssl.
Already protected against/Known Method/No update required
None.
Not already protected against/New Method/Update Available
None.
Not already protected against/Doesnt protect against/Solution
BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Side channel attack on modular exponentiation (CVE-2016-0702) - This is a low risk vulnerability
Memory leak in SRP database lookups (CVE-2016-0798) - This is a low risk vulnerability
Fix memory issues in BIO_*printf functions (CVE-2016-0799) - This is a low risk vulnerability
Potential Vulnerability/Solution
Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) - If SSLv2 and weak ciphers are disabled on the system, then this vulnerability is not applicable.
Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) - If SSLv2 is disabled on the system, then this vulnerability is not applicable.
Bleichenbacher oracle in SSLv2 (CVE-2016-0704) - If SSLv2 is disabled on the system, then this vulnerability is not applicable.