Network Security, Patch/Configuration Management, Vulnerability Management

Security update issued for OpenSSL

OpenSSL version 1.1.0c has been issued to combat vulnerabilities in previous versions of the toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, according to an OpenSSL advisory.

Some of the flaws could enable an attacker to instigate a denial-of-service situation.

The severity of a heap-buffer-overflow (CVE-2016-7054) was ranked "High." The bug could open a path for a DoS attack by corrupting larger payloads, resulting in an OpenSSL crash, the advisory stated.

Owing to another bug ranked "Moderate" (CVE-2016-7053), applications parsing invalid CMS structures can crash with a NULL pointer dereference.

"There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits," the advisory stated. This third flaw (CVE-2016-7055), ranked "Low," could serve incorrect results.

With support for OpenSSL version 1.0.1 ceasing on Dec. 31, after which no security updates for that version will be issued, users of 1.0.1 are advised to upgrade.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.