Back
-
Solutions
Back
Digital Trust for:
Enterprise IT, PKI & Identity
Code & Software
Documents & Signing
IoT & Connected Devices
Manage PKI and Certificate risk in one place
Streamlined Certificate
Management and Automation:
Delivering At-Scale Uptime and Availability
Secure, update, monitor and control connected devices at scale
DOWNLOAD NOW - Buy
-
Insights
Back
Digital Trust for the Real World
Explore these pages to discover how DigiCert is helping organizations establish, manage and extend digital trust to solve real-world problems.
Ponemon Institute Report
See what our global post-quantum study uncovered about where the world stands in the race to prepare for quantum computing.
LEARN MORE >
-
Partners
Back
- Support
- Contact us
- Language
This morning, the OpenSSL project team released the security patch 1.1.0c for three security vulnerabilities discovered in OpenSSL 1.1.0. This patches fix one “high severity,” one “moderate severity,” and one “low severity” vulnerabilities.
None of these bugs affect SSL/TLS certificates. No actions related to SSL/TLS certificate management are required.Source code for all the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.
For a full list of vulnerabilities, see the OpenSSL Security Advisory [10 Nov 2016].
About the High Severity Vulnerability
ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
The high severity vulnerability affects TLS connects that use the *-CHACHA20-POLY1305 cipher suites. These type of TLS connections are vulnerable to a DoS attack where the attacker sends a large corrupted payload, which could crash OpenSSL.
This issue only affects those running an instance of OpenSSL 1.1.0.
Update your instance(s) of OpenSSL:
- OpenSSL 1.1.0 users need to upgrade to version 1.1.0c
About the Moderate Severity Vulnerability
CMS Null dereference (CVE-2016-7053)
“Applications parsing invalid CMS structures can crash with a NULL pointer dereference.” This vulnerability only affects CHOICE structures that use callbacks that cannot handle NULL value.This issue only affects those running an instance of OpenSSL 1.1.0.
Update your instance(s) of OpenSSL:
- OpenSSL 1.1.0 users need to upgrade to version 1.1.0c
About the Low Severity Vulnerability
Montgomery multiplication may produce incorrect results (CVE-2016-7055)
“Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation.”This issue only affects those running an instance of OpenSSL 1.1.0 and 1.0.2.*
*Note: Although this bug is also found in OpenSSL 1.0.2, the severity of the issue and likelihood of it being exploited are so low that OpenSSL will patch it in the next 1.0.2 release.Update your instance(s) of OpenSSL:
- OpenSSL 1.1.0 users need to upgrade to version 1.1.0c
Support for OpenSSL 1.0.1 Ends Soon
Support for OpenSSL 1.0.1 will end on December 31, 2016. The OpenSSL community will no longer issue security updates for 1.0.1 after that date. If you are still running an instance of OpenSSL 1.0.1, make plans now to upgrade to the latest version of OpenSSL 1.1.0 (recommended) or 1.0.2 before 2016 ends.
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
-
© 2024 DigiCert, Inc. All rights reserved.
Legal Repository Audits & Certifications Terms of Use Privacy Center Accessibility Cookie Settings