OpenSSL Fixes Over a Dozen Exploits, Including a High-Severity Vulnerability
The OpenSSL Project has fixed over a dozen vulnerabilities in OpenSSL, releasing versions 1.1.0a, 1.0.2i and 1.0.1u. One of these patched flaws includes a high severity vulnerability that can be exploited for denial-of-service (DoS) attacks.
Tracked as CVE-2016-6304, attackers could exploit the flaw by sending a server a large OCSP Status Request extension, causing memory exhaustion to launch DoS attacks. Reported by a Chinese security firm, the vulnerability affects servers even if they don't support OCSP.
A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time option are not affected.
Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default configuration, instead only if an application explicitly enables OCSP stapling support.
OpenSSL Project also fixes one moderate severity and 12 low severity vulnerabilities
The Project has also resolved 12 low severity vulnerabilities, but they don't affect the 1.1.0 branch that was launched a month ago. But, that branch is affected by a moderate severity flaw (CVE-2016-6305) that can also be exploited for DoS attacks.
The OpenSSL Project will end support for OpenSSL version 1.0.1 on 31st December 2016. Users won't receive any security updates after that. It was also noted in the security bulletin that support for versions 0.9.8 and 1.0.0 already ended on 31st December 2015. Security experts have advised users to upgrade in order to avoid any security issues.
More in Security Today