OpenSSL Fixed a Critical Vulnerability

openssl

This week OpenSSL Fixed a Critical Vulnerability, the new security vulnerability discovered in OpenSSL. CVE-2015-1793 is due to a problem with authentication certificate processing which may lead to MITM man in the middle attack.

OpenSSL Foundation released the patch to fix this security issue that affects OpenSSL version 1.0.1n, 1.0.2b, 1.0.2c and 1.0.1o. According to the advisory:

“During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate.

Vulnerable versions are OpenSSL 1.0.2b/1.0.2c and  OpenSSL 1.0.1n/1.0.1o. users should upgrade to version 1.0.2d ,  1.0.1p. This vulnerability was reported on 24 June 2015 by Google and BoringSSL and fixed by BoringSSL security researchers.

If you are using one of the affected OpenSSL versions start to review the published advisory and plan the new version testing and roll-out.

Share