The OpenSSL Vulnerability – CVE-2015-1793

Severity: High     

What is OpenSSL?
OpenSSL is a general purpose cryptography library that implements a cryptographic security protocol called TLS/SSL, and puts the “S” in HTTPS for many websites.

The Vulnerability
Hackers can lure or misdirect a user to a bogus website/ email server, and any other internet service using TLS/SSL for its secure communication so as to trick the user into thinking that they are somewhere legitimate and secure.

Effects of the bug
A hacker may be able to create a certificate in someone else’s name, and then to sneak it past OpenSSL’s certificate verifcation process without triggering a warning, even though the certificate isn’t signed by a trusted CA.

How big is the risk?
Four OpenSSL versions are affected:
• Versions 1.0.2b and 1.0.2c need updating to 1.0.2d. (The -a sub-version is immune.)
• Versions 1.0.1n and 1.0.1o need updating to 1.0.1p. (Sub-versions up to and including -n are immune.)
• All 0.9.8 versions are immune.
• All 1..0 versions are immune.

What to do?
If you are using any of the above OpenSSL versions you need to update.

References
https://www.openssl.org/news/secadv_20150709.txt

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s