You are here

OpenSSL Vulnerabilities related to Version 1.0.1h

CVE-2014-0224, CVE-2014-0221, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, CVE-2014-0195, CVE-2014-0076

OpenSSL released a new version 1.0.1h today. The update fixes several security issues. Airlock may be affected by 1-3 issues depending on the Airlock version and configuration. We rate the criticality of the issues as moderate.

SSL/TLS MITM issue: CVE-2014-0224
The issue affects Airlock as a client for back-end connections and as a server for front-side connections but only if the peer system is using a vulnerable OpenSSL version as well. In this case an active man-in-the-middle attacker can force the use of weak keying material and may be able to decrypt and modify traffic.
SSL_MODE_RELEASE_BUFFERS issues: CVE-2014-0198 and CVE-2010-5298
These issues affect only Airlock 5.0 (Apache httpd 2.4). An attacker may be able to inject data across httpd sessions or cause a denial of service.
DTLS Issue: CVE-2014-0221 and CVE-2014-0195
Airlock is not affected because Datagram TLS is not is use.
Anonymous ECDH issue: CVE-2014-3470
The default ciphersuite of Airlock is not affected because anonymous ECDH ciphersuites are not in use.
Other issues: CVE-2014-0076
The issue is already fixed in OpenSSL 1.0.1g. This OpenSSL version is provided with Airlock, for Airlock 4.2.6 to with hotfix HF4220 and for Airlock 5.0 with hotfix HF5001.

Please install hotfix HF4222 for Airlock 4.2.6.x and HF5002 for Airlock 5.0, respectively.

Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock