JPCERT-AT-2016-0010
JPCERT/CC
2016-03-02(Initial)
2016-03-03(Update)
<<< JPCERT/CC Alert 2016-03-02 >>>
Alert regarding multiple vulnerabilities in OpenSSL
https://www.jpcert.or.jp/english/at/2016/at160010.html
I. Overview
OpenSSL provided by the OpenSSL Project contains multiple vulnerabilities.
For more details on the vulnerabilities, please check the information provided
by the OpenSSL Project.
OpenSSL Project
OpenSSL Security Advisory [1st March 2016]
https://www.openssl.org/news/secadv/20160301.txt
Versions of OpenSSL affected by CVE-2016-0800 that have SSLv2 enabled,
may allow a remote attacker to obtain critical information such as private
keys.
** Update: March 3, 2016 Update ****************************************
Vulnerability Note VU#583776 notes a possibility where private keys may
be obtained. However, according to the reporter of CVE-2016-0800, private
keys will not be obtained but encrypted communications may be decrypted.
************************************************************************
II. Affected Software
The following versions are affected:
- OpenSSL 1.0.1r and earlier for the 1.0.1 line
- OpenSSL 1.0.2f and earlier for the 1.0.2 line
III. Solution
The OpenSSL Project has provided versions of OpenSSL that address the
vulnerabilities. Please consider applying the update after thorough testing.
- OpenSSL 1.0.1s
- OpenSSL 1.0.2g
According to the OpenSSL Project, the 0.9.8 and 1.0.0 lines of OpenSSL
are no longer supported as of December 31, 2015. No updates to these versions
will be provided.
OpenSSL Project
The New Release Strategy
https://www.openssl.org/blog/blog/2014/12/23/the-new-release-strategy/
If an update cannot be applied, please consider disabling SSLv2 as a
countermeasure to CVE-2016-0800.
IV. References
Vulnerability Note VU#583776
Network traffic encrypted using RSA-based SSL certificates over SSLv2 may be decrypted by the DROWN attack
https://www.kb.cert.org/vuls/id/583776
OpenSSL Project
Release Strategy
https://www.openssl.org/policies/releasestrat.html
RedHat, Inc.
DROWN - Cross-protocol attack on TLS using SSLv2 - CVE-2016-0800
https://access.redhat.com/security/vulnerabilities/drown
Debian Project
DSA-3500-1 openssl -- security update
https://www.debian.org/security/2016/dsa-3500
Canonical Ltd (Ubuntu)
USN-2914-1: OpenSSL vulnerabilities
http://www.ubuntu.com/usn/usn-2914-1/
** Update: March 3, 2016 Update ****************************************
The DROWN Attack
https://drownattack.com/
JVNVU#90617353
Network traffic encrypted over SSLv2 may be decrypted by the DROWN attack (Japanese)
https://jvn.jp/vu/JVNVU90617353/
************************************************************************
If you have any information regarding this alert, please contact
JPCERT/CC.
________
Revision History
2016-03-02 First edition
2016-03-03 Updated "Overview" and "References"
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top