Fourteen flaws in the OpenSSL project have been patched, including a high-severity vulnerability that can be exploited to cause a denial-of-service (DoS) attack.
The high-severity flaw (CVE-2016-6304) affects the Online Certificate Status Protocol (OCSP) verification process. An attacker can exploit the flaw by sending a large OCSP Status Request extension to create memory exhaustion and cause a DoS attack.
The update also included a patch for the “Sweet32” vulnerability (CVE-2016-2183), affecting algorithms of SSH, SSL/TLS and OpenVPS protocols. Last week, Citrix called Sweet32 “a low-severity issue” and wrote that it would be difficult to use the flaw to execute an attack.
John Bambenek, manager of threat systems at Fidelis Cybersecurity, highlighted the OCSP patch as a strong example of open-source software “being on top of reported security vulnerabilities.” In an email to SCMagazine.com, he noted that “it was only about three weeks from report to fix being in the code.”
The task facing enterprise organizations in remediating the flaw goes beyond simply patching in-house applications. Cloud customers must “address the risk of service unreliability from cloud service providers who are still vulnerable,” Skyhigh Networks CTO Kaushik Narayan in an email to SCMagazine.com.
Other pros see cause for concern as a result of OpenSSL ubiquity in securing data in transit. The OCSP vulnerability “exemplifies the problems” that result from extensive use of open source components “especially when those components are the de facto implementation,” MobileIron Lead Solutions Architect James Plouffe wrote in an email to SCMagazine.com.
Core Security systems engineer Bobby Kuzma raised similar concerns, noting “the huge number of embedded devices that use OpenSSL that have either no patching mechanism or aren’t under effective management.” In an email to SCMagazine.com, he warned of “a huge, long-term vulnerability footprint that most organizations are ill-equipped to know about — let alone handle.”