OpenSSL will patch this week high severity vulnerability – Security Affairs

http://securityaffairs.co/wordpress/51448/security/openssl-high-severity-flaw.html

You might need to spare some time to do the update.

One of the flaws that affect the popular toolkit has a “high” severity.

The Project plans to release OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u next Thursday September 22 .

The OpenSSL Project has already issued three security patches this year that addressed a total of 16 vulnerabilities.

 

2 Comments

  1. Tomi Engdahl says:

    OpenSSL Security Advisory [22 Sep 2016]
    https://www.openssl.org/news/secadv/20160922.txt

    OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
    A malicious client can send an excessively large OCSP Status Request extension.
    If that client continually requests renegotiation, sending a large OCSP Status
    Request extension each time, then there will be unbounded memory growth on the
    server. This will eventually lead to a Denial Of Service attack through memory
    exhaustion. Servers with a default configuration are vulnerable even if they do
    not support OCSP. Builds using the “no-ocsp” build time option are not affected.
    Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default
    configuration, instead only if an application explicitly enables OCSP stapling
    support.

    Other solved issues:
    SSL_peek() hang on empty record (CVE-2016-6305) – Moderate onlly 1.1.0
    SWEET32 Mitigation (CVE-2016-2183) – Low severity attack on older block cipher algorithms

    Reply
  2. Tomi Engdahl says:

    I Got 99 Problems, But SWEET32 Isn’t One
    http://www.securityweek.com/i-got-99-problems-sweet32-isnt-one
    Where does SWEET32 rank against other SSL vulnerabilities?

    Cryptographic attacks with cute names seem to come around every few months; so far in 2016 we have seen BICYCLE, DROWN, and now SWEET32.

    A pair of researchers, Karthikeyan Bhargavan and Gaëtan Leurent with the French national research institute for computer science, published a cryptographic attack against older, 64-bit block ciphers such as triple-DES (3DES) and Blowfish. They called their attack SWEET32 (CVE-2016-2183) as the attack starts to become practical after 2^32 cipher blocks.

    The attack’s website explains that the basis for the SWEET32 attack involves the birthday paradox from probability theory.

    Let’s see where SWEET32 would land in my ranking system, which is similar to the CVSS methodology in that it focuses on impact and exploitability.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*