You are here

OpenSSL Vulnerabilities related to Version 1.0.1n/1.0.1o

IDs: 
CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, CVE-2015-1791, CVE-2014-8176
Keywords: 
OpenSSL, TLS, DoS, Elliptic Curve
Description: 

OpenSSL released a security advisory [1] on June 11, 2015, describing 7 vulnerabilities fixed in the newest releases (i.e. 1.0.1n and 1.0.1o).

Airlock WAF is affected by CVE-2015-1788 when client certificate authentication is enabled. An attacker is able to perform a denial of service attack by sending a specially crafted client certificate.

Details of the other vulnerabilities not affecting Airlock WAF:

Vulnerability/CVEDescription
LogjamMost Airlock WAF deployments are not affected because export cipher suites are not enabled. For further details please see [2].
CVE-2015-1789Affects the parsing code of time strings in X509 certificates. TLS servers with client authentication enabled may be affected if they use custom verification callbacks. Airlock WAF is not affected because custom verification callbacks are not used.
CVE-2015-1790Affects the parsing code of PKCS#7 blobs which is not used by Airlock WAF.
CVE-2015-1792Affects the Cryptographic Message Syntax (CMS) code which is not used by Airlock WAF.
CVE-2015-1791Affects SSL Session Tickets which are disabled in Airlock WAF.
CVE-2014-8176Affects DTLS which is not used by Airlock WAF.
Resolution: 

The Airlock team has published hotfixes to update OpenSSL to version 1.0.1o. The criticality of the hotfixes is medium.

Component: 
Airlock
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
No action required