Back
-
Solutions
Back
Digital Trust for:
Enterprise IT, PKI & Identity
Code & Software
Documents & Signing
IoT & Connected Devices
Manage PKI and Certificate risk in one place
Streamlined Certificate
Management and Automation:
Delivering At-Scale Uptime and Availability
Secure, update, monitor and control connected devices at scale
DOWNLOAD NOW - Buy
-
Insights
Back
Digital Trust for the Real World
Explore these pages to discover how DigiCert is helping organizations establish, manage and extend digital trust to solve real-world problems.
Ponemon Institute Report
See what our global post-quantum study uncovered about where the world stands in the race to prepare for quantum computing.
LEARN MORE >
-
Partners
Back
- Support
- Contact us
- Language
Announcements
09-27-2016
Jason Sabin
OpenSSL Patches “Critical” & “Moderate” Security Vulnerabilities
Early this morning, the OpenSSL project team released two security patches—1.1.0b, and 1.0.2j—for two security vulnerabilities discovered in OpenSSL. These two new patches fix a “critical” severity vulnerability found in version 1.1.0a and a “moderate” severity vulnerability found in versions 1.0.2i.
Neither of these bugs affect your SSL/TLS Certificates, and no actions are required related to SSL/TLS Certificate management.Source code for all the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.
For a full list of vulnerabilities, see the OpenSSL Security Advisory [26 Sep 2016].
“Critical” Severity Vulnerability
Fix Use After Free for large message sizes (CVE-2016-6309)
The OpenSSL Security advisory reported one “critical” severity vulnerability that affects only 1.1.0a users. This vulnerability was introduced in the fix for the "Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)" low severity vulnerability.
If the server receives a message that is 16k or larger, then “underlying buffer to store the incoming message is reallocated and moved.” The problem: a “dangling pointer” remains. When the server tries to write to this supposedly free location, it may cause the server to crash. Or in a worst-case scenario, it could result in arbitrary code being executed.
This vulnerability only affects those running an instance of OpenSSL 1.1.0a.
Update your instance of OpenSSL 1.1.0a immediately:
- OpenSSL 1.1.0a users need to upgrade to version 1.1.0b
“Moderate” Severity Vulnerability
Missing CRL sanity check (CVE-2016-7052)
The “moderate” severity vulnerability reported by the OpenSSL Security advisory only affects 1.0.2i users. This vulnerability was introduced in a bug fix that was supposed to contain a “CRL sanity check.” Because it was left out, an attempt to use CRLs results in a “crash with a null pointer exception.”
This vulnerability only affects those running an instance of OpenSSL 1.0.2i.
Update your instance of OpenSSL 1.0.2i:
- OpenSSL 1.0.2i users need to upgrade to version 1.0.1j.
Plan to Upgrade to OpenSSL 1.0.2 or 1.1.0 Soon
There are only three months left until support for your instance of OpenSSL 1.0.1 ends (December 31, 2016). If you are running an instance of OpenSSL 1.0.1, upgrade to the latest version of OpenSSL 1.1.0 (recommended) or 1.0.2 before support ends.
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
-
© 2024 DigiCert, Inc. All rights reserved.
Legal Repository Audits & Certifications Terms of Use Privacy Center Accessibility Cookie Settings