Early this morning, OpenSSL released patches for new security vulnerabilities found in OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. These patches fix a total of 12 vulnerabilities, two of which were rated as high severity.
According to the OpenSSL advisory, one of the high severity vulnerabilities can be exploited to allow a DoS attack against an affected server.
The other high severity vulnerability is a reclassification of a previously patched vulnerability related to RSA export cipher suite support.None of these bugs affect SSL Certificates, and no action related to certificate management is required.
There are two high severity vulnerabilities.
In the first vulnerability, "if a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server." OpenSSL 1.0.2 users should upgrade to 1.0.2a.
The second vulnerability was already fixed in a previous version of OpenSSL. This vulnerability was originally classified as low severity in January 2015 due to the belief that support for RSA export cipher suites was rare. However, it has now been reclassified as high severity.
The rest of the vulnerabilities are rated as low-to-moderate risk. For a full list, see the OpenSSL advisory.
OpenSSL users should patch their systems as soon as possible. Source code is available for the OpenSSL patches here.
Administrators should also disable support for all export-grade cipher suites to protect against the FREAK attack. We also recommend that you disable support for all known insecure ciphers (not just RSA export ciphers), disable support for ciphers with 40- and 56-bit encryption, disable support for SSL 3.0 and 2.0, and enable forward secrecy.
Use DigiCert Certificate Inspector to scan for vulnerable servers and to see a list of enabled ciphers and protocols.
As an industry, we are refocusing on security in the core services that countless organizations rely on.
This increased scrutiny on the OpenSSL framework is encouraging to see and suggests that more vulnerabilities will be discovered and patched. This process is necessary to the long-term security and strength of these projects and means that issues will hopefully be patched before attackers find them. While continually applying patches can be frustrating, it is a step forward for security and could arguably mean that the OpenSSL code is more secure than it has been for a long time.