OpenSSL Vulnerabilities Fixed in Version 1.0.1u and 1.0.2i

Submitted on 22. September 2016 - 15:17 by rischi.
Last update on 19. January 2017 - 14:56.

IDs:

CVE-2016-6304, CVE-2016-6305, CVE-2016-2183, CVE-2016-6303, CVE-2016-6302, CVE-2016-2182, CVE-2016-2180, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2181, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308

Keywords:

OpenSSL, OCSP

Description:

OpenSSL released a security advisory on September 22, 2016, describing several vulnerabilities fixed in the newest releases [1].

Most of the vulnerabilities are rated with severity low. One vulnerability CVE-2016-6304 is rated with severity high [2]. Denial of service may be possible by sending an excessively large OCSP Status Request extension and continually triggering renegotiation. Airlock WAF is affected, even if OCSP is not enabled.

Resolution:

Hotfixes are available for Airlock WAF 5.3.1 and 6.0 to update OpenSSL to version 1.0.1u and 1.0.2i (for version 6.0). The criticality of the hotfixes is high.

Component:

Airlock

Airlock Vulnerability Status:

Airlock vulnerable, see resolution

Back-end Vulnerability Status:

No action required

Reference:

[1] OpenSSL Vulnerabilities 2016

[2] OpenSSL OCSP Status Request extension unbounded memory growth (CVE-2016-6304)

Main menu

Navigation

User menu

You are here

OpenSSL Vulnerabilities Fixed in Version 1.0.1u and 1.0.2i

Main menu

Search form

Navigation

User menu

You are here

OpenSSL Vulnerabilities Fixed in Version 1.0.1u and 1.0.2i