Back on April 7th there was something called the Heartbleed Open SSL bug that caused some security issues for servers running certain versions of OpenSSL.
There was a new OpenSSL security advisory posted earlier today disclosing seven additional security flaws found in OpenSSL 1.0.1 and OpenSSL 1.0.2-beta1. There was also a new OpenSSL 1.0.1h patch made available today as well.
All InMotion Hosting server’s have been reviewed and any vulnerable versions are in the process of being patched. Customer’s might have noticed a few second duration of unavailability in their services today as they were restarted to apply the security patches.
OpenSSL 1.0.1 and 1.0.2-beta1 vulnerabilities
An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack.
A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server.
A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.
Vulnerable versions of OpenSSL
openssl 1.0.1 | openssl 1.0.1:beta1 | openssl 1.0.1:beta2 | openssl 1.0.1:beta3 | openssl 1.0.1:a |
openssl 1.0.1:b | openssl 1.0.1:c | openssl 1.0.1:d | openssl 1.0.1:e | openssl 1.0.1:f |
openssl 1.0.2-beta1 |
Recommended upgrade paths for OpenSSL
Current OpenSSL version | Should you upgrade? | Updated OpenSSL version |
---|---|---|
openssl 0.9.8 | Recommended | openssl 0.9.8za |
openssl 1.0.0 | Recommended | openssl 1.0.0m |
openssl 1.0.1 | Required | openssl 1.0.1h |