You are here

OpenSSL Vulnerabilities fixed in Version 1.0.1q

IDs: 
CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196
Keywords: 
OpenSSL, PSS, RSA
Description: 

On December 3, 2015, OpenSSL announced the discovery of four vulnerabilities [1].

Airlock WAF is affected by CVE-2015-3194. If client certificate authentication is enabled an attacker might be able to perform a denial of service attack.

Details of the other three vulnerabilities:

  • CVE-2015-3193: Carry propagating bug in a squaring procedure. This affects Openssl version 1.0.2 which is not used by Airlock WAF up to 5.3.1
  • CVE-2015-3195: Affects applications reading PKCS#7 or CMS data from untrusted sources. Airlock WAF does not process these types of data structures. 
  • CVE-2015-3196: Potential double free vulnerability already fixed in OpenSSL version 1.0.1p. Hotfixes for OpenSSL 1.0.1p were provided in July 2015 [2].
Resolution: 

The Airlock team has published hotfixes for Airlock WAF 5.1.1, 5.2 and 5.3.1 to update OpenSSL to version 1.0.1q. The criticality of the hotfixes is low.

Component: 
Airlock
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
No action required