3 May 2016

New versions of OpenSSL library 1.0.1t and 1.0.2h were released a couple of hours ago. According to changelog, vendor fixed five security vulnerabilities in total. The vulnerabilities can be exploited to disclose potentially sensitive information, perform MitM (Man-in-the-Middle) attacks, cause denial of service and execute arbitrary code.

Below is the list of vulnerabilities, fixed in OpenSSL library:

CVE ID Description Impact Severity CVE-2016-2107 Padding oracle attack and traffic description MitM 3.7 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N] CVE-2016-2105 Heap corruption in EVP_EncodeUpdate() function DoS/RCE 10.0 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] CVE-2016-2106 Heap corruption in EVP_EncodeUpdate() function DoS/RCE 10.0 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] CVE-2016-2109 Excessive memory allocation when handling ASN.1 data in d2i_CMS_bio() function DoS 5.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L] CVE-2016-2176 Information disclosure in X509_NAME_oneline() function Information Exposure 5.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N]

The are no known public exploits for any of the vulnerabilities. Nevertheless, we recommend installing the latest version ASAP to avoid any potential exploitation of these vulnerabilities.

Visit the vendors website to download and install the latest version of OpenSSL.