You are here

Home › OpenSSL 1.0.1k Release: 8 Security Issues Fixed

OpenSSL 1.0.1k Release: 8 Security Issues Fixed

Submitted on 9. January 2015 - 14:41 by rischi.
Last update on 13. January 2015 - 14:58.
IDs: 
CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572, CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570
Keywords: 
OpenSSL, DH, Certificate, RSA, SSL, TLS
Description: 

OpenSSL released a security advisory on 8. January 2015 describing 8 vulnerabilities fixed in the newest release (i.a. 1.0.1k).

No OpenSSL update is required. The vulnerabilities are not relevant for Airlock WAF.

Details:

  • CVE-2014-3571, CVE-2015-0206: Affects DTLS protocol which is not used by Airlock WAF.
  • CVE-2014-3569, CVE-2015-0204: Airlock WAF is not affected because the configuration and build options "SSL_OP_EPHEMERAL_RSA" and "no-ssl3" are not used.
  • CVE-2014-3572: Affects only client installations of OpenSSL
  • CVE-2015-0205, CVE-2014-8275, CVE-2014-3570: Low public risk rating. Airlock WAF may only be affected in very rare setups (DH keys signed by CA, Certificate Fingerprint based security checks) and the risk of an exploitation is low.
Resolution: 

No action required.

Airlock WAF protects vulnerable OpenSSL back-ends from external attacks by terminating SSL/TLS.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock
Reference: 
OpenSSL Security Advisory [08 Jan 2015]
© Ergon Informatik AG