DigiCert Blog

OpenSSL Patches 3 Security Vulnerabilities in OpenSSL 1.1.0

These vulnerabilities do not affect SSL/TLS certificates, but system admins should patch their 1.1.0 OpenSSL framework as soon as possible.

This morning, the OpenSSL project team released the security patch 1.1.0c for three security vulnerabilities discovered in OpenSSL 1.1.0. This patches fix one “high severity,” one “moderate severity,” and one “low severity” vulnerabilities.

None of these bugs affect SSL/TLS certificates. No actions related to SSL/TLS certificate management are required.

Source code for all the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.

For a full list of vulnerabilities, see the OpenSSL Security Advisory [10 Nov 2016].

About the High Severity Vulnerability

ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)

The high severity vulnerability affects TLS connects that use the *-CHACHA20-POLY1305 cipher suites. These type of TLS connections are vulnerable to a DoS attack where the attacker sends a large corrupted payload, which could crash OpenSSL.

This issue only affects those running an instance of OpenSSL 1.1.0.

Update your instance(s) of OpenSSL:

  • OpenSSL 1.1.0 users need to upgrade to version 1.1.0c

About the Moderate Severity Vulnerability

CMS Null dereference (CVE-2016-7053)

“Applications parsing invalid CMS structures can crash with a NULL pointer dereference.” This vulnerability only affects CHOICE structures that use callbacks that cannot handle NULL value.

This issue only affects those running an instance of OpenSSL 1.1.0.

Update your instance(s) of OpenSSL:

  • OpenSSL 1.1.0 users need to upgrade to version 1.1.0c

About the Low Severity Vulnerability

Montgomery multiplication may produce incorrect results (CVE-2016-7055)

“Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation.”

This issue only affects those running an instance of OpenSSL 1.1.0 and 1.0.2.*

*Note: Although this bug is also found in OpenSSL 1.0.2, the severity of the issue and likelihood of it being exploited are so low that OpenSSL will patch it in the next 1.0.2 release.

Update your instance(s) of OpenSSL:

  • OpenSSL 1.1.0 users need to upgrade to version 1.1.0c

Support for OpenSSL 1.0.1 Ends Soon

Support for OpenSSL 1.0.1 will end on December 31, 2016. The OpenSSL community will no longer issue security updates for 1.0.1 after that date. If you are still running an instance of OpenSSL 1.0.1, make plans now to upgrade to the latest version of OpenSSL 1.1.0 (recommended) or 1.0.2 before 2016 ends.

Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn2

About Jason Sabin

DigiCert's Chief Security Officer, Jason Sabin, develops innovative products and features to simplify SAAS-based digital certificate management. Previously he oversaw Novell’s Security Review Board and built their first pen testing teams. He has filed over 50 patents, earning him the “Utah Genius” award.