Early this morning, the OpenSSL project team released the security patch 1.1.0e to fix a “HIGH” severity security vulnerability found in OpenSSL 1.1.0. Version 1.0.2 is not affected. However, system admins should patch their 1.1.0 OpenSSL framework immediately.
This bug does not affect SSL/TLS certificates. No actions related to SSL/TLS certificate management are required.
Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)
Basically, when a client and a server renegotiate a handshake, if the Encrypt-Then-Mac extension is used and it was not part of the original negotiation, or if the Encrypt-Then-Mac extension was part of the original handshake but left out of the renegotiation, this can cause your instance of OpenSSL 1.1.0 to crash (depending on the ciphersuite being used), affecting both the server and the client. See more here: OpenSSL Security Advisory [16 Feb 2017].
What’s the impact?
This vulnerability appears to only exist in OpenSSL version 1.1.0. If you are running an instance of OpenSSL version 1.0.2, you are not affected.
What should I do?
Administrators should update their instances of OpenSSL 1.1.0 to 1.1.0e. Source code for all the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.
Note: The bug does not affect OpenSSL version 1.0.2. OpenSSL versions 1.0.1, 1.0.0, and 0.9.8 are no longer supported and do not receive security updates.
Keeping Your OpenSSL Instance Secure
OpenSSL continues to make sure that the OpenSSL framework remains strong and secure. This requires the OpenSSL team to remain vigilant at finding and patching vulnerabilities before attackers can find and exploit them. However, your OpenSSL instance and the broader community in general can only remain strong if you take the time to patch your systems.