You are here

OpenSSL Vulnerability Fixed in Version 1.0.2j

IDs: 
CVE-2016-7052, CVE-2016-6309
Keywords: 
OpenSSL, CRL
Description: 

OpenSSL released a security advisory on September 26, 2016, describing two vulnerabilities fixed in the newest releases [1].

Airlock WAF 6.0 with hotfix HF0013 is affected by CVE-2016-7052 if client certificate CRL checking is configured.
Airlock WAF 5.3.1 is not affected since the used OpenSSL version 1.0.1 does not contain the bug.

Details:

  • CVE-2016-6309: This vulnerability affects only OpenSSL 1.1.0 which is not in use by Airlock WAF.
  • CVE-2016-7052: This vulnerability affects only OpenSSL 1.0.2i installations using CRL and therefore solely Airlock WAF 6.0 with hotfix HF0013 and configured CRL for client certificate validation. According to OpenSSL, any attempt to use CRLs will crash OpenSSL with a null pointer exception. We were not able to reproduce this crash and all of our CRL tests run properly. Nevertheless we can not exclude the possibility that there is a way to crash OpenSSL and therefore Apache HTTP server. 
Resolution: 

A hotfix is available for Airlock WAF 6.0 to update OpenSSL to version 1.0.2j.

We recommend to install the hotfix on Airlock WAF 6.0 if:

  • The previous hotfix HF0013 is not yet installed or
  • HF0013 is installed and client certificate CRLs are used.
Component: 
Airlock
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
No action required