The OpenSSL team has announced patches for 14 vulnerabilities in the open source SSL/TLS software including fixes for the FREAK flaw and a high severity DoS issue.
Many in the community feared the worst when the Open SSL Project Team gave prior warning that at least one high severity issue would be announced on Thursday – with some speculating that it could point to the discovery of another “Heartbleed” style flaw.
However, the advisory when it came was more mundane.
Users of OpenSSL 1.0.2 were urged to upgrade to version 1.0.2a to mitigate the DoS issue, dubbed ClientHello (CVE-2015-0291). It’s a NULL pointer dereference issue which can be exploited in a denial of service against the server, the advisory noted.
According to Trey Ford, global security strategist at Rapid7, many users of OpenSSL are still on versions 0.9.8 and 1.0.1 so won’t be affected by the issue.
However, they, and users on version 1.0.0 will be affected by the other high severity issue, related to FREAK, and were asked to upgrade to 1.0.1k, 1.0.0p and 0.9.8zd respectively to mitigate the problem.
This vulnerability was originally down as a “low severity” issue until a recent discovery that support for RSA export ciphersuites was far more common than at first thought, OpenSSL said.
Nine of the remaining 12 advisories relate to “moderate” severity issues while three are rated as “low” severity.
Despite the lack of a headline-making Heartbleed-style vulnerability, there’s plenty to keep admins busy, according to Ford.
“We expect to see corresponding attack code quickly built by those reverse engineering the published patches – steps to push these fixes to internet exposed systems should be prioritized,” he advised.
“Export ciphers are overdue for retirement, and organizations using them should looks for ways to upgrade to more stringent encryption standards.”
OpenSSL is set to undergo a major security audit as part of a multi-million dollar initiative by the Linux Foundation to improve the stability of core open source projects.