July 13, 2015
3 min read

"High" severity security vulnerabilities in OpenSSL

WSO2 Cloud Services are not affected by this vulnerability, however systems administrators are highly advised to update the OpenSSL version. OpenSSL is one of the most widely used implementations of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) cryptographic protocols. It's being used widely on many internet-facing devices, including two thirds of all web servers. On 9th July, OpenSSL released a security patch to fix a new vulnerability discovered in versions 1.0.2 and 1.0.1. "During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and 'issue' an invalid certificate."  - OpenSSL Security Advisory [9 Jul 2015] The vulnerability appears to exist only in OpenSSL versions released in June 2015 and later. Because of this, the vulnerability only affects a limited set of OpenSSL versions: 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Red Hat, CentOS, Debian, and Ubuntu have released notices stating that their distributions are not affected by this vulnerability as they were not using the latest version of OpenSSL. How to make sure that your systems are not vulnerable? If you are using any affected version, you should update your OpenSSL instance to a version as mentioned below.
  • OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
  • OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
Note: The bug does not affect OpenSSL versions 1.0.0 and 0.9.8.