New versions of OpenSSL library 1.0.1t and 1.0.2h were released a couple of hours ago. According to changelog, vendor fixed five security vulnerabilities in total. The vulnerabilities can be exploited to disclose potentially sensitive information, perform MitM (Man-in-the-Middle) attacks, cause denial of service and execute arbitrary code.
Below is the list of vulnerabilities, fixed in OpenSSL library:
| CVE ID | Description | Impact | Severity |
|---|---|---|---|
| CVE-2016-2107 | Padding oracle attack and traffic description | MitM | 3.7 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N] |
| CVE-2016-2105 | Heap corruption in EVP_EncodeUpdate() function | DoS/RCE | 10.0 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] |
| CVE-2016-2106 | Heap corruption in EVP_EncodeUpdate() function | DoS/RCE | 10.0 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] |
| CVE-2016-2109 | Excessive memory allocation when handling ASN.1 data in d2i_CMS_bio() function | DoS | 5.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L] |
| CVE-2016-2176 | Information disclosure in X509_NAME_oneline() function | Information Exposure | 5.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N] |
The are no known public exploits for any of the vulnerabilities. Nevertheless, we recommend installing the latest version ASAP to avoid any potential exploitation of these vulnerabilities.
Visit the vendors website to download and install the latest version of OpenSSL.