You are here
OpenSSL Vulnerabilities related to Version 1.0.1n/1.0.1o
Submitted on 15. June 2015 - 10:48 by rischi.
Last update on 26. June 2015 - 13:52.
Last update on 26. June 2015 - 13:52.
IDs:
CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, CVE-2015-1791, CVE-2014-8176
Keywords:
OpenSSL, TLS, DoS, Elliptic Curve
Description:
OpenSSL released a security advisory [1] on June 11, 2015, describing 7 vulnerabilities fixed in the newest releases (i.e. 1.0.1n and 1.0.1o).
Airlock WAF is affected by CVE-2015-1788 when client certificate authentication is enabled. An attacker is able to perform a denial of service attack by sending a specially crafted client certificate.
Details of the other vulnerabilities not affecting Airlock WAF:
| Vulnerability/CVE | Description |
| Logjam | Most Airlock WAF deployments are not affected because export cipher suites are not enabled. For further details please see [2]. |
| CVE-2015-1789 | Affects the parsing code of time strings in X509 certificates. TLS servers with client authentication enabled may be affected if they use custom verification callbacks. Airlock WAF is not affected because custom verification callbacks are not used. |
| CVE-2015-1790 | Affects the parsing code of PKCS#7 blobs which is not used by Airlock WAF. |
| CVE-2015-1792 | Affects the Cryptographic Message Syntax (CMS) code which is not used by Airlock WAF. |
| CVE-2015-1791 | Affects SSL Session Tickets which are disabled in Airlock WAF. |
| CVE-2014-8176 | Affects DTLS which is not used by Airlock WAF. |
Resolution:
The Airlock team has published hotfixes to update OpenSSL to version 1.0.1o. The criticality of the hotfixes is medium.
Component:
Airlock
Airlock Vulnerability Status:
Airlock vulnerable, see resolution
Back-end Vulnerability Status:
No action required