While the world is pushed—or forced—toward digitizing all business processes, workflows and functions, the lessons from the early days of the Internet can be a predictor of success. Learn how Digital Trust can make or break your strategy and how the wrong solution may be setting your organization up for failure in less than three years.
Early this morning, the OpenSSL project team released the security patch 1.1.0e to fix a “HIGH” severity security vulnerability found in OpenSSL 1.1.0. Version 1.0.2 is not affected. However, system admins should patch their 1.1.0 OpenSSL framework immediately.This bug does not affect SSL/TLS certificates. No actions related to SSL/TLS certificate management are required.
Basically, when a client and a server renegotiate a handshake, if the Encrypt-Then-Mac extension is used and it was not part of the original negotiation, or if the Encrypt-Then-Mac extension was part of the original handshake but left out of the renegotiation, this can cause your instance of OpenSSL 1.1.0 to crash (depending on the ciphersuite being used), affecting both the server and the client. See more here: OpenSSL Security Advisory [16 Feb 2017].
This vulnerability appears to only exist in OpenSSL version 1.1.0. If you are running an instance of OpenSSL version 1.0.2, you are not affected.
Administrators should update their instances of OpenSSL 1.1.0 to 1.1.0e. Source code for all the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.Note: The bug does not affect OpenSSL version 1.0.2. OpenSSL versions 1.0.1, 1.0.0, and 0.9.8 are no longer supported and do not receive security updates.
OpenSSL continues to make sure that the OpenSSL framework remains strong and secure. This requires the OpenSSL team to remain vigilant at finding and patching vulnerabilities before attackers can find and exploit them. However, your OpenSSL instance and the broader community in general can only remain strong if you take the time to patch your systems.