The OpenSSL Project released on Tuesday versions 1.0.2h and 1.0.1t to patch several vulnerabilities that can be exploited for denial-of-service (DoS) attacks, arbitrary code execution and traffic decryption.
The latest versions of OpenSSL address a high severity flaw (CVE-2016-2107) that was introduced in 2013 as part of the fix for the Lucky 13 TLS attack. The vulnerability, reported on April 13 by Juraj Somorovsky, allows a man-in-the-middle (MitM) attacker to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI instructions.
OpenSSL 1.0.2h and 1.0.1t also patch three low severity issues related to the incorrect handling of large amounts of input data by the EVP_EncodeUpdate() andEVP_EncryptUpdate() functions, and incorrect handling of memory when ASN.1 data is read from a BIO. These flaws have been assigned the CVE identifiers CVE-2016-2105, CVE-2016-2106 and CVE-2016-2109.
The OpenSSL Project also informed users of a high severity vulnerability (CVE-2016-2108) that is a combination of two non-security bugs.
Read more:Non-Security OpenSSL Bugs Lead to Serious Vulnerability | SecurityWeek.Com
The latest versions of OpenSSL address a high severity flaw (CVE-2016-2107) that was introduced in 2013 as part of the fix for the Lucky 13 TLS attack. The vulnerability, reported on April 13 by Juraj Somorovsky, allows a man-in-the-middle (MitM) attacker to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI instructions.
OpenSSL 1.0.2h and 1.0.1t also patch three low severity issues related to the incorrect handling of large amounts of input data by the EVP_EncodeUpdate() andEVP_EncryptUpdate() functions, and incorrect handling of memory when ASN.1 data is read from a BIO. These flaws have been assigned the CVE identifiers CVE-2016-2105, CVE-2016-2106 and CVE-2016-2109.
The OpenSSL Project also informed users of a high severity vulnerability (CVE-2016-2108) that is a combination of two non-security bugs.
Read more:Non-Security OpenSSL Bugs Lead to Serious Vulnerability | SecurityWeek.Com
