Security vulnerabilities in OpenSSL (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470)

Avatar
Admin
Follow

Sourcehttps://www.openssl.org/news/secadv_20140605.txt

Description
(CVE-2014-0224)

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client AND server.

What versions of OpenSSL are affected?

  • OpenSSL clients are vulnerable in ALL versions of OpenSSL.  
  • Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1.

How to fix:

Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

  • OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
  • OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

You can use this article as a reference to check the version of your openssl and perform the upgrade.

Additional resources:

0 Comments

Article is closed for comments.
Powered by Zendesk