It's Like Updating OpenSSL All Over Again

Updated on May 3, 2016 by UpGuard

It's Like Updating OpenSSL All Over Again! (Security lock image courtesy Yuri Samoilov, Flickr)

A new high severity vulnerability in the OpenSSL protocol was announced today that could allow an attacker to cause memory corruption in devices handling SSL certificates. The vulnerability was caused by a combination of bugs, one a mishandling of negative zero integers, and the other a mishandling of large universal tags. When both bugs are present, an attacker can trigger corruption by causing an out-of-bounds memory write.

Because the two individual bugs causing the vulnerability were discovered a while back, the latest versions not affected are OpenSSL 1.0.2c and OpenSSL 1.0.1o, however, because of other issues discovered since then, it is recommended to upgrade to the following versions, released May 3rd, 2016:

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

Fortunately, this vulnerability was discovered by Google’s Project Zero before it could be exploited in the wild. Finding your OpenSSL versions with UpGuardRegular proactive testing is the key to continual improvement, both for software developers and systems admins. OpenSSL has a long history of vulnerabilities and updates, so making sure all of your systems have the correct version can be challenging. UpGuard’s powerful configuration search engine allows you to search for specific versions of OpenSSL or any other package across all of your nodes and our configuration policies will ensure all of your nodes comply with your version requirements and let you track upgrade status as you transition from one version to another, and our integration with automation platforms like Puppet and Chef can make streamlining these processes even easier.

Manage Your Sever Configurations

More Articles

Another Day, Another OpenSSL Vulnerability

Sure, you could manually dig into each machine and run openssl version, or spend the afternoon scripting a solution if you're fancy, but that amount of work will only get you through today.
Read Article >

Why Security Needs DevOps: OpenSSL and Beyond

The lesson to be learned from Heartbleed and its offspring is not that OpenSSL or open source software is too dangerous to use, but that new methods of infrastructure management are the only way to keep pace with current security threats.
Read Article >

10 Essential Steps for Configuring a New Server

That’s a nice new Linux server you got there… it would be a shame if something were to happen to it.
Read Article >