OpenSSL released a new version 1.0.1h today. The update fixes several security issues. Airlock may be affected by 1-3 issues depending on the Airlock version and configuration. We rate the criticality of the issues as moderate.
SSL/TLS MITM issue: CVE-2014-0224
The issue affects Airlock as a client for back-end connections and as a server for front-side connections but only if the peer system is using a vulnerable OpenSSL version as well. In this case an active man-in-the-middle attacker can force the use of weak keying material and may be able to decrypt and modify traffic.
SSL_MODE_RELEASE_BUFFERS issues: CVE-2014-0198 and CVE-2010-5298
These issues affect only Airlock 5.0 (Apache httpd 2.4). An attacker may be able to inject data across httpd sessions or cause a denial of service.
DTLS Issue: CVE-2014-0221 and CVE-2014-0195
Airlock is not affected because Datagram TLS is not is use.
Anonymous ECDH issue: CVE-2014-3470
The default ciphersuite of Airlock is not affected because anonymous ECDH ciphersuites are not in use.
Other issues: CVE-2014-0076
The issue is already fixed in OpenSSL 1.0.1g. This OpenSSL version is provided with Airlock 4.2.6.3, for Airlock 4.2.6 to 4.2.6.2 with hotfix HF4220 and for Airlock 5.0 with hotfix HF5001.