You are here

Home › OpenSSL Vulnerability Fixed in Version 1.0.2p

OpenSSL Vulnerability Fixed in Version 1.0.2p

Submitted on 13. August 2018 - 14:13 by rischi.
Last update on 14. August 2018 - 17:58.
IDs: 
CVE-2018-0732,CVE-2018-0737
Keywords: 
RSA,
Description: 

OpenSSL 1.0.2p fixes two vulnerabilities [1]

Airlock WAF is not affected

Details:

  • CVE-2018-0737: Cache timing vulnerability in RSA Key Generation. Not relevant for Airlock WAF because RSA keys are usually not generated on Airlock WAF or if they are, attackers can not mount cache timing attacks in this environment (shell access only for trusted user).

  • CVE-2018-0732: Client DoS due to large DH parameter. Airlock WAF uses OpenSSL as server library to handle external TLS connections as well as client library for back-end HTTPS connections, ICAPS, OCSP, CRL Update, etc. The vulnerability is not relevant for the server part because it only affects clients. For the client part all peers are trusted and the risk of successful DoS attack is negligible.

Resolution: 

No action required.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock
Reference: 
[1] OpenSSL 1.0.2 Series Release Notes
© Ergon Informatik AG