You are here
OpenSSL Vulnerabilities fixed in Version 1.0.1q
Submitted on 4. December 2015 - 10:31 by rischi.
Last update on 4. December 2015 - 16:05.
Last update on 4. December 2015 - 16:05.
IDs:
CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196
Keywords:
OpenSSL, PSS, RSA
Description:
On December 3, 2015, OpenSSL announced the discovery of four vulnerabilities [1].
Airlock WAF is affected by CVE-2015-3194. If client certificate authentication is enabled an attacker might be able to perform a denial of service attack.
Details of the other three vulnerabilities:
- CVE-2015-3193: Carry propagating bug in a squaring procedure. This affects Openssl version 1.0.2 which is not used by Airlock WAF up to 5.3.1
- CVE-2015-3195: Affects applications reading PKCS#7 or CMS data from untrusted sources. Airlock WAF does not process these types of data structures.
- CVE-2015-3196: Potential double free vulnerability already fixed in OpenSSL version 1.0.1p. Hotfixes for OpenSSL 1.0.1p were provided in July 2015 [2].
Resolution:
The Airlock team has published hotfixes for Airlock WAF 5.1.1, 5.2 and 5.3.1 to update OpenSSL to version 1.0.1q. The criticality of the hotfixes is low.
Component:
Airlock
Airlock Vulnerability Status:
Airlock vulnerable, see resolution
Back-end Vulnerability Status:
No action required