New OpenSSL Security Updates, No Major Security Threats

On August 6, 2014, developers at OpenSSL released new updates to resolving nine previously reported security issues categorized with a severity of moderate or less.

This next round of updates to the widely-used OpenSSL library, that most servers on the Internet rely on to implement secure SSL/TLS connections, shows that the project is actively promoting stronger security online and is constantly being reviewed for possible improvements in encryption implementation.

New OpenSSL Update 0.9.8zb, 1.0.0n and 1.0.1i

The minor updates to the library, 0.9.8zb, 1.0.0n and 1.0.1i, address a number of minor possible issues but do not affect the security of any website using SSL.

  • OpenSSL 0.9.8za DTLS users should upgrade to 0.9.8zb
  • OpenSSL 1.0.0m DTLS users should upgrade to 1.0.0n
  • OpenSSL 1.0.1h DTLS users should upgrade to 1.0.1i

No SSL Certificates are affected and administrators can include the new version of OpenSSL in their regular patching and updating process.

The updated versions of the OpenSSL software address a number of possible security issues previously reported to the organization. The developers for the project identified these security fixes as moderate to low risk to enterprises that rely on OpenSSL for system security. The fixes include resolving:

  • Information leak in pretty printing functions (CVE-2014-3508)
  • Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
  • Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
  • Double Free when processing DTLS packets (CVE-2014-3505)
  • DTLS memory exhaustion (CVE-2014-3506)
  • DTLS memory leak from zero-length fragments (CVE-2014-3507)
  • OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
  • OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
  • SRP buffer overrun (CVE-2014-3512)

Less than 0.5% of Sites Are Still Affected by Heartbleed

Security researcher Ivan Ristic’s most recent monthly scan of the top 150,000+ Internet sites’ SSL security settings showed that less than 0.5% of top sites on the Internet are still vulnerable to Heartbleed. As part of the SSL Pulse security monitoring project, Ristic says that Heartbleed updates have been “incredibly fast.”

Although some reports state that a large number of sites on the Internet are still vulnerable to Heartbleed, it’s important to consider that many of those sites don’t deal with sensitive data or have low Internet user traffic, reducing the risk of data breaches.

Major Update Coming to OpenSSL

An active community of devoted researchers and security experts continue to work on identifying possible threat vectors and working with online software providers and open source developers to enhance software security, especially for those projects (like OpenSSL) that are utilized by a large number of systems in order to make the Internet a safer place for all users.

The OpenSSL team has continued to make updates to the security library and no major vulnerabilities have been found. The team continues to work on new features and enhancements, along with continually reviewing the existing library for ways that it could be improved.

The next major release, OpenSSL 1.1.0 (release date TBD), will include a number of new features that further increase the reliability of the library.