You are here

OpenSSL Vulnerabilities in Version 1.0.1e

IDs: 
CVE-2013-6449, CVE-2013-4353, CVE-2013-6450, CB-K13/1074, CB-K14/0009
Keywords: 
OpenSSL, TLS, DTLS
Description: 

Fixes for the following three vulnerabilites in OpenSSL version 1.0.1e, which is used by Airlock 4.2.6.2 and before, have been released:

CVE-2013-6449: A flaw in OpenSSL can cause Apache httpd to crash when using TLS version 1.2. Airlock may be affected by this vulnerability.

CVE-2013-4353: A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. Airlock may be affected by this vulnerability. 

CVE-2013-6450: Vulnerability in the retransmission protocol of DTLS. Airlock is not affected because the DTLS protocol is not used.

Resolution: 

Hotfix HF4219 is available for Airlock 4.2.6, 4.2.6.1 and 4.2.6.2 to update OpenSSL to the version 1.0.1f which fixes the described issues. Airlock 5.0 will already provide OpenSSL 1.0.1f and is therefore not affected.

Component: 
Airlock
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock