Early this morning, the OpenSSL project team released three security patches—1.1.0a, 1.0.2i, and 1.0.1u—for 14 security vulnerabilities discovered in OpenSSL. These three new patches fix one “high” severity, one “moderate” severity, and 12 “low” severity vulnerabilities.
None of these bugs affect your SSL/TLS Certificates, and no actions are required related to SSL/TLS Certificate management.
Source code for all the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.
For a full list of vulnerabilities, see the OpenSSL Security Advisory [22 Sep 2016].
The OpenSSL Security advisory reported one “high” severity vulnerability. With this one, an attacker can initially deliver a large "Online Certificate Status Protocol (OCSP) Status Request extension.” Then the attacker requests renegotiations repeatedly, delivering a huge “OCSP Status Request extension” with each request and causing limitless memory growth on that server. This continued renegotiation exhausts server memory resulting in a (Denial of Service (DoS) attack.
If you are running an instance of OpenSSL with a default configuration, you are vulnerable to this attack—even if that configuration does not support OCSP. However, if your instance is configured with the “no-ocsp” build time option, you are not vulnerable.
Note: If you are running an instance of OpenSSL 1.0.1 – 1.0.1f with a default configuration and have not enabled OCSP stapling support, then you are not vulnerable.
The “moderate” severity vulnerability reported by the OpenSSL Security advisory deals with a DoS attack. If the attacker delivers an empty message, then OpenSSL 1.1.0 hangs as it makes a call to SSL_peek. An attacker could exploit this in a DoS attack.
This vulnerability only affects those running an instance of OpenSSL 1.1.0.
Ten of the “low” severity vulnerabilities only affect instances of OpenSSL: 1.0.2 and 1.0.1.
Only three months left until support for OpenSSL 1.0.1 ends on December 31, 2016. If you are running an instance of OpenSSL 1.0.1, make plans today to upgrade to the latest version of OpenSSL 1.1.0 (recommended) or 1.0.2.
Even though making patches takes time and energy, the OpenSSL community (comprised of devoted researchers and security experts working with online providers and open source developers) isn't trying to make your job more difficult. Their job is to keep your supported versions of OpenSSL secure. The OpenSSL community works hard to find and fix vulnerabilities in the framework before attackers find and exploit them.
As soon as you're done moaning and groaning, take the time to apply the latest patches and keep your OpenSSL code secure.