- OpenSSL 1.0.2
- OpenSSL 1.0.1
- OpenSSL 1.0.0
- OpenSSL 0.9.8
Multiple vulnerabilities have been discovered in OpenSSL. The details of these vulnerabilities are as follows:
- A Null pointer dereferencing issue may result in denial of service conditions (CVE-2015-0208, CVE-2015-0288, CVE-2015-0289, and CVE-2015-0291).
- RSA export ciphersuites are prone to a man-in-the-middle (MITM) attack (CVE-2015-0204).
- A defect in the implementation of "multiblock" may result in denial of service conditions (CVE-2015-0290).
- A defect in the implementation of DTLSv1 Segmentation fault in DTLSv1_listen changes the ClientHello to act statefull (CVE-2015-0207).
- ASN1_TYPE_cmp may result in denial of service conditions when comparing ASN.1 boolean types (CVE-2015-0286).
- Reusing a structure in ASN.1 parsing may result in memory corruption (CVE-2015-0287).
- An issue in the Base64 decoding may cause memory corruption (CVE-2015-0292).
- Servers supporting SSLv2 and enable export cipher suites may be susceptible to denial of service conditions (CVE-2015-0293).
- A server may be susceptible to denial of service conditions when processing DHE ciphersuites (CVE-2015-1787).
- OpenSSL client may be susceptible to an unseeded PRNG handshake (CVE-2015-0285)
- Use-after-free following d2i_ECPrivatekey error denial of service conditions or memory corruption (CVE-2015-0209).
Successful exploitation of these vulnerabilities may result in denial of service conditions.
We recommend the following actions be taken:
- After appropriate testing, apply appropriate updates to vulnerable systems immediately.
- OpenSSL 1.0.2 users should upgrade to 1.0.2a o
- OpenSSL 1.0.1 users should upgrade to 1.0.1k
- OpenSSL 1.0.0 users should upgrade to 1.0.0p
- OpenSSL 0.9.8 users should upgrade to 0.9.8zd
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources, or suspicious emails from trusted sources.