OpenSSL patches flaw that exposes an encryption key


The OpenSSL project issued an update to patch a vulnerability that would allow a malicious remote user to obtain a decryption key enabling them to learn sensitive information.

OpenSSL said the software may generate previously used prime numbers for use in the Diffie-Hellman protocol, which generates the shared key that allows two computers securely exchange data, that could lead to an attacker recovering the private encryption key. The problem issue (CWE-325).

“Such a number, particularly if re-used, severely weakens applications of the Diffie-Hellman protocol such as TLS, allowing an attacker in some scenarios to possibly determine the Diffie-Hellman private exponent and decrypt the underlying traffic,” OpenSSL stated in its vulnerability note.

OpenSSL version 1.0.2f and 1.0.1r are now available and fix the issue.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.