OpenSSL Developers Release Update to Fix Known Vulnerabilities

The OpenSSL project developers have released new patches resolving vulnerabilities in their software. Unlike Heartbleed, this OpenSSL update does not affect SSL Certificates. Administrators are strongly advised to update their systems to the latest version of OpenSSL in order to ensure that communication between clients and servers remain secure.

The possible vulnerability, known as CCS injection, affects all client versions of OpenSSL and server versions 1.0.1 and 1.0.2-beta1. The OpenSSL team recommends that:

  • OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
  • OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m
  • OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h

Many platform providers already have updates available for system administrators.

Clients using Internet Explorer, Firefox, or Chrome are not affected reducing the number of possible clients affected by this latest OpenSSL update. Android users will need to update their devices to the latest version in order to take advantage of the latest fixes. Platforms and devices not using OpenSSL are unaffected.

In summary, the exploit requires an attacker to be able to intercept communications between vulnerable servers and clients (man-in-the-middle). If either the server or the client is not vulnerable, the vulnerability cannot be exploited. For additional info and patch information see: https://www.openssl.org/

Posted in News, SSL, Vulnerabilities