OpenSSL patches nine security flaws

The OpenSSL open source cryptographic library - whose software underpins many thousands of internet sites - today issued patches for nine security flaws in its three main code branches.

Marco Ostini, AusCERT. Photo: Paul Hagon/CC2.0/cropped

None of the vulnerabilities can be exploited to leak information as is possible with the "Heartbleed" flaw.

Several can be used for denial of service (DoS) attacks against the Datagram Transport Layer Security (DTLS) protocol, the OpenSSL team said.

One of the flaws in the OpenSSL server discovered by Googlers David Benjamin and Adam Langley, the first to discover the Heartbleed vulnerability, can be exploited to allow attackers to force a negotiation with a client to pick the older and  less secure Transport Layer Security (TLS) 1.0 protocol, instead of more modern, more secure ones.

AusCERT information security analyst Marco Ostini told iTnews that the current spate of vulnerabilities isn't as serious as the last couple of OpenSSL advisories.

Ostini noted that there is now plenty more industry input and code audit for the OpenSSL project.

"It's lovely to see OpenSSL bugs being identified by Google, LogMeIn and Codenomicon, andsee  them being attended to by OpenSSL developers," Ostini said.

The OpenSSL project recommends that users upgrade their existing software as soon as feasible, as per below.

• OpenSSL 0.9.8 users should upgrade to 0.9.8zb
• OpenSSL 1.0.0 users should upgrade to 1.0.0n.
• OpenSSL 1.0.1 users should upgrade to 1.0.1i.

Vulnerabilities patched in the latest advisory include CVE-2014-3508, CVE-2014-5139, CVE-2014-3509, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, CVE-2014-3511 and CVE-2014-3512.