Four vulnerabilities are being fixed in the latest round of patches for the popular OpenSSL cryptographic library that is used worldwide to secure data communications over the internet.
While one flaw is marked as low severity, and another two as medium severity, the most serious vulnerability is rated as a high risk, and could open the door to denial of service attacks, the OpenSSL project said in a recent security advisory.
The CVE-2014-3513 vulnerability is blamed on a flaw discovered by the LibreSSL project in Datagram Transport Layer Security Secure Real-Time Transport Protocol (DTLS/SRTP) extension.
An attacker can send a specially crafted handshake message during the connection set-up which prevents OpenSSL from freeing up to 64 kilobytes of memory. This in turn causes a memory leak in the OpenSSL server.
Only OpenSSL 1.0.1 is affected by the DTLS/SRTP vulnerability.
The POODLE interoperability bug that allows for man-in-the-middle attacks is also being plugged with the latest version of OpenSSL.
OpenSSL users are advised to upgrade their installations as follows:
- OpenSSL 1.0.1 users should upgrade to 1.0.1j.
- OpenSSL 1.0.0 users should upgrade to 1.0.0o.
- OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
Separately, OpenSSL also announced that version 0.9.8 of the cryptographic library will no longer be supported after end of December next year.
Apple is currently using 0.9.8 in its OS X operating system. The latest Yosemite version of OS X is running version 0.9.8za of OpenSSL, dated January 2014.