Analysts recommend upgrading 'within days'.
The OpenSSL Project released OpenSSL 1.0.1k, OpenSSL 1.0.0p, and OpenSSL 0.9.8zd on Thursday – addressing eight vulnerabilities altogether, two of which could lead to denial-of-service (DoS) attacks and are deemed moderate in severity.
CVE-2014-3571 is a DTLS segmentation fault in dtls1_get_record, according to an advisory, which explains that a “carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer deference,” and could lead to a DoS attack. OpenSSL versions 1.0.1, 1.0.0 and 0.9.8 are affected.
CVE-2015-0206 is a DTLS memory leak in dtls1_buffer_record and could lead to a DoS attack through memory exhaustion. The post indicates that “a memory leak can occur in the dtls1_buffer_record function under certain conditions,” notably “if an attacker sent repeated DTLS records with the same sequence number, but for the next epoch.” OpenSSL versions 1.0.1 and 1.0.0 are affected.
The remaining six vulnerabilities – CVE-2014-3569, CVE-2014-3572, CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, and CVE-2014-3570 – are deemed low in severity and address a variety of problems, some of which involve issues with certificates.
“While none of the issues reach Heartbleed-levels of severity, system administrators should plan to upgrade their running OpenSSL server instances in the coming days,” Tod Beardsley, engineering manager at Rapid7, said in a statement emailed to SCMagazine.com.
Beardsley said that the vulnerabilities that lead to a DoS condition are the most severe, and that “in order to maintain reliable service, OpenSSL should be upgraded or replaced by SSL libraries not affected by these issues, such as LibreSSL.”
Users are reminded that support for OpenSSL versions 1.0.0 and 0.9.8 will end after Dec. 31, meaning security updates will no longer be provided. Version 1.0.1 will be supported until Dec. 31, 2016, and version 1.0.2 will be supported until at least then. There are no plans for a 1.0.3 release.
“Version 1.1.0 will (moderately) break source compatibility (for example we will make most structures opaque etc),” according to a release. “We expect a preview version to be available mid 2015, with an expected release by the end of 2015.”