A new high severity vulnerability in the OpenSSL protocol was announced today that could allow an attacker to cause memory corruption in devices handling SSL certificates. The vulnerability was caused by a combination of bugs, one a mishandling of negative zero integers, and the other a mishandling of large universal tags. When both bugs are present, an attacker can trigger corruption by causing an out-of-bounds memory write.
Because the two individual bugs causing the vulnerability were discovered a while back, the latest versions not affected are OpenSSL 1.0.2c and OpenSSL 1.0.1o, however, because of other issues discovered since then, it is recommended to upgrade to the following versions, released May 3rd, 2016:
Fortunately, this vulnerability was discovered by Google’s Project Zero before it could be exploited in the wild. Regular proactive testing is the key to continual improvement, both for software developers and systems admins. OpenSSL has a long history of vulnerabilities and updates, so making sure all of your systems have the correct version can be challenging. UpGuard’s powerful configuration search engine allows you to search for specific versions of OpenSSL or any other package across all of your nodes and our configuration policies will ensure all of your nodes comply with your version requirements and let you track upgrade status as you transition from one version to another, and our integration with automation platforms like Puppet and Chef can make streamlining these processes even easier.
Sure, you could manually dig into each machine and run openssl version, or spend the afternoon scripting a solution if you're fancy, but that amount of work will only get you through today.
Read Article >
The lesson to be learned from Heartbleed and its offspring is not that OpenSSL or open source software is too dangerous to use, but that new methods of infrastructure management are the only way to keep pace with current security threats.
Read Article >