You are here
OpenSSL Vulnerabilities Fixed in Version 1.0.1s
Submitted on 1. March 2016 - 16:53 by rischi.
Last update on 1. March 2016 - 17:36.
Last update on 1. March 2016 - 17:36.
IDs:
CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0701. CVE-2015-3197
Keywords:
OpenSSL, SSLv2, SSLv3, CacheBleed, Drown Attack
Description:
On March 1, 2016, OpenSSL announced the discovery of 10 vulnerabilities [2].
Airlock WAF and all applications protected by Airlock WAF are not affected.
Details
- CVE-2016-0800, CVE-2015-3197: SSLv2 can not be used with Airlock WAF.
- CVE-2016-0705: DSA private keys can not be used in Airlock WAF.
- CVE-2016-0798: The Secure Remote Password protocol (SRP) is not used in Airlock WAF.
- CVE-2016-0797: Airlock WAF does not use the vulnerable OpenSSL function.
- CVE-2016-0799: Airlock WAF is not affected because the vulnerable function (BIO_printf) is only used for OCSP in Apache httpd which is not supported prior to Airlock WAF 6.0.
- CVE-2016-0702: A.k.a CacheBleed attack. Airlock WAF is not affected because it is not a general purpose multi user system.
- CVE-2016-0704, CVE-2016-0703, CVE-2016-0701: Airlock WAF is not affected because this vulnerability is already fixed in OpenSSL 1.0.1q (HF0008).
Resolution:
no action is required.
Component:
Airlock
Airlock Vulnerability Status:
Does not affect Airlock
Back-end Vulnerability Status:
No action required
Reference: