The OpenSSL project issued an update to patch a vulnerability that would allow a malicious remote user to obtain a decryption key enabling them to learn sensitive information.
OpenSSL said the software may generate previously used prime numbers for use in the Diffie-Hellman protocol, which generates the shared key that allows two computers securely exchange data, that could lead to an attacker recovering the private encryption key. The problem issue (CWE-325).
“Such a number, particularly if re-used, severely weakens applications of the Diffie-Hellman protocol such as TLS, allowing an attacker in some scenarios to possibly determine the Diffie-Hellman private exponent and decrypt the underlying traffic,” OpenSSL stated in its vulnerability note.
OpenSSL version 1.0.2f and 1.0.1r are now available and fix the issue.