You are here

OpenSSL Vulnerabilities Fixed in Version 1.0.2n

Keywords: 
OpenSSL
Description: 

OpenSSL released a security advisory on December 7, 2017, describing two vulnerabilities fixed in OpenSSL 1.0.2n [1].

Airlock WAF is not affected

Details:

CVE-2017-3737: Read/write after SSL object in error state. This affects only applications using OpenSSL that have a faulty error state handling. Airlock WAF is not affected because all components using OpenSSL in Airlock WAF have correct error state handling.

CVE-2017-3738: Overflow bug in the AVX2 montgomery multiplication procedure. For an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients. Airlock WAF is not affected because such a DH key sharing is disabled in all supported Airlock WAF versions.

Resolution: 

No action required.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock