Recently Discovered OpenSSL Vulnerabilities


OpenSSL recently released a series of patches that fix six different vulnerabilities, these include two high-severity flaws that could allow an attacker to execute malicious code on a web server, as well as decrypt HTTPS traffic between a client and secure web site(s) hosted by an HTTPS enabled webserver.

OpenSSL is an open-source cryptographic library that is being widely used to cryptographically protect web, SFTP, and e-mail traffic using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols – it is used on many different types of webservers, as well as on other types of servers such as SFTP and e-mail servers that use SSL/TLS to securely transmit data.

The first of the two high-severity flaws, CVE-2016-2107, allows a man-in-the-middle attacker to initiate an specific attack that can decrypt HTTPS traffic and exfiltrate data in plain text.  The second high-severity bug, CVE-2016-2108, is a memory corruption flaw in the OpenSSL ASN.1 standard for encoding, transmitting and decoding data that allows attackers to execute malicious code (remote execution) on the web server.

OpenSSL also patched four other low-severity vulnerabilities including two buffer overflow vulnerabilities, one memory issue, and one low-severity bug that resulted in arbitrary stack data being returned in the buffer.

The UCLA Information Security Office recommends that any department using OpenSSL install the latest patches for their particular system(s) as soon as practical.  Many UNIX based servers and appliances that use SSL/TLS are running OpenSSL and may be vulnerable unless properly patched.  OpenSSL versions 1.0.1 and 1.0.2 are both potentially vulnerable and are widely used across Campus.  Administrators for these servers are advised to apply patches as soon as possible.  The matrix below shows that minimum versions of 1.0.1t and 1.0.2h are not affected.

  • Fixed in OpenSSL 1.0.1t (Affected 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
  • Fixed in OpenSSL 1.0.2h (Affected 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

Further details regarding these vulnerabilities and the patches to resolve them can be found at OpenSSL.