The “critical” vulnerability introduced in OpenSSL 1.1.0a does not affect SSL/TLS Certificates but admins should still patch their OpenSSL framework as soon as possible.
Early this morning, the OpenSSL project team released two security patches—1.1.0b, and 1.0.2j—for two security vulnerabilities discovered in OpenSSL. These two new patches fix a “critical” severity vulnerability found in version 1.1.0a and a “moderate” severity vulnerability found in versions 1.0.2i.
Neither of these bugs affect your SSL/TLS Certificates, and no actions are required related to SSL/TLS Certificate management.
Source code for all the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.
For a full list of vulnerabilities, see the OpenSSL Security Advisory [26 Sep 2016].
“Critical” Severity Vulnerability
Fix Use After Free for large message sizes (CVE-2016-6309)
The OpenSSL Security advisory reported one “critical” severity vulnerability that affects only 1.1.0a users. This vulnerability was introduced in the fix for the “Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)” low severity vulnerability.
If the server receives a message that is 16k or larger, then “underlying buffer to store the incoming message is reallocated and moved.” The problem: a “dangling pointer” remains. When the server tries to write to this supposedly free location, it may cause the server to crash. Or in a worst-case scenario, it could result in arbitrary code being executed.
This vulnerability only affects those running an instance of OpenSSL 1.1.0a.
Update your instance of OpenSSL 1.1.0a immediately:
- OpenSSL 1.1.0a users need to upgrade to version 1.1.0b
“Moderate” Severity Vulnerability
Missing CRL sanity check (CVE-2016-7052)
The “moderate” severity vulnerability reported by the OpenSSL Security advisory only affects 1.0.2i users. This vulnerability was introduced in a bug fix that was supposed to contain a “CRL sanity check.” Because it was left out, an attempt to use CRLs results in a “crash with a null pointer exception.”
This vulnerability only affects those running an instance of OpenSSL 1.0.2i.
Update your instance of OpenSSL 1.0.2i:
- OpenSSL 1.0.2i users need to upgrade to version 1.0.1j.
Plan to Upgrade to OpenSSL 1.0.2 or 1.1.0 Soon
There are only three months left until support for your instance of OpenSSL 1.0.1 ends (December 31, 2016). If you are running an instance of OpenSSL 1.0.1, upgrade to the latest version of OpenSSL 1.1.0 (recommended) or 1.0.2 before support ends.