OpenSSL 1.0.1 and 1.0.2-beta1 security upgrades Updated on August 16, 2021 by InMotion Hosting Contributor 2 Minutes, 18 Seconds to Read Back on April 7th there was something called the Heartbleed Open SSL bug that caused some security issues for servers running certain versions of OpenSSL. There was a new OpenSSL security advisory posted earlier today disclosing seven additional security flaws found in OpenSSL 1.0.1 and OpenSSL 1.0.2-beta1. There was also a new OpenSSL 1.0.1h patch made available today as well. All InMotion Hosting server’s have been reviewed and any vulnerable versions are in the process of being patched. Customer’s might have noticed a few second duration of unavailability in their services today as they were restarted to apply the security patches. OpenSSL 1.0.1 and 1.0.2-beta1 vulnerabilities OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224) An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. OpenSSL DTLS recursion flaw (CVE-2014-0221) By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. OpenSSL DTLS invalid fragment vulnerability (CVE-2014-0195) A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. OpenSSL SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. OpenSSL SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. OpenSSL Anonymous ECDH denial of service (CVE-2014-3470) OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack. Vulnerable versions of OpenSSL openssl 1.0.1 openssl 1.0.1:beta1 openssl 1.0.1:beta2 openssl 1.0.1:beta3 openssl 1.0.1:a openssl 1.0.1:b openssl 1.0.1:c openssl 1.0.1:d openssl 1.0.1:e openssl 1.0.1:f openssl 1.0.2-beta1 Recommended upgrade paths for OpenSSL Current OpenSSL version Should you upgrade? Updated OpenSSL version openssl 0.9.8 Recommended openssl 0.9.8za openssl 1.0.0 Recommended openssl 1.0.0m openssl 1.0.1 Required openssl 1.0.1h Share this Article InMotion Hosting Contributor Content Writer InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals! More Articles by InMotion Hosting Related Articles Force HTTPS with the .htaccess File How to Fix the Insecure SSL Error due to SHA-1 Deprecation Troubleshooting SSL Connection Errors: How to Fix HTTPS Issues What Is SSL and Why Is It Important? How to Install Let’s Encrypt SSL on Ubuntu with Certbot Installing SSLs and Generating CSRs in cPanel Forcing your Website’s visitors to use the shared SSL How to Manage AutoSSL Certificates in cPanel How to Purchase an SSL Certificate for your Dedicated Server How to Enable a SSL on a WordPress Site
