OpenSSL Update Fixes High-Severity DoS Vulnerability

US-CERT issues alert to server admins warning of a dangerous OpenSSL vulnerability and urges 1.1.0 users update to version 1.1.0e.

The OpenSSL Software Foundation released an update to the OpenSSL crypto library that patches a vulnerability rated high severity that could allow a remote attacker to cause a denial-of-service condition.

OpenSSL released the version 1.1.0e update that fixes flaws found in OpenSSL 1.1.0, according to the OpenSSL Security Advisory issued last week. The United States Computer Emergency Response Team also alerted system admins of the issue last week.

According to OpenSSL, the vulnerability occurs during a renegotiation handshake procedure. “If the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected,” according to the advisory.

OpenSSL is ubiquitous, in tens of thousands of commercial and homespun software projects. The open source project provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The technology is credited for keeping communications secure between endpoints by ensuring the identity of both parties.

According OpenSSL, the issue does not impact OpenSSL version 1.0.2. However, additional versions of OpenSSL, such as version 1.0.0 and 0.9.8, which are no longer supported, will also need updates. The bug, CVE-2017-3733, was reported by Red Hat’s Joe Orton on Jan. 31. The fix was developed by the OpenSSL team’s Matt Caswell.

OpenSSL deployments continue to be plagued by the Heartbleed vulnerability. The flaw persists today and can be found on almost 200,000 servers and devices, according to a recent report by the operators of Shodan search engine.

Earlier this month Ubuntu users were urged to update their operating system to address a handful of patched OpenSSL vulnerabilities (CVE-2016-7056 and CVE-2016-7055) which affect Ubuntu and its derivatives.

The OpenSSL toolkit is licensed under an Apache-style license and has the financial backing of firms such as The Linux Foundation, Microsoft, Facebook, Amazon, Dell and Google.

Suggested articles