The OpenSSL team published a security advisory on October 15th 2014,
see the OpenSSL
site for more
information.
In short, SSLv3 using Cipher Block Chaining mode (CBC) has a weakness,
which can be exploited using the POODLE attack having CVE entry
CVE-2014-3566.
The POODLE attack depends on SSLv3 and tries to downgrade a connection
to that specific, really old protocol. This downgrade can be mitigated
by using the signaling cipher suite value (SCSV) TLS_FALLBACK_SCSV,
which is implemented in the/this latest version of openssl. Please be
advised that not only the server, but the client itself also has to
support this relatively new method.
All vulnerabilities in the advisory have been patched in the latest versions of OpenSSL 1.0.2-chacha. Moreover, the new binaries/source are aligned with the latest beta release (3).
- SRTP Memory Leak (CVE-2014-3513)
- Session Ticket Memory Leak (CVE-2014-3567)
- SSL 3.0 Fallback protection
- Build option no-ssl3 is incomplete (CVE-2014-3568)
As always, check https://onwebsecurity.com/cryptography/openssl for the latest Windows 32 and 64 bit binaries, and https://github.com/PeterMosmans/openssl for the latest sources.
Comments
comments powered by Disqus