March 2015 OpenSSL Security Advisory

Blog Post created by jpagano Employee on Mar 19, 2015

Today OpenSSL released a security advisory listing 14 vulnerabilities affecting various versions of OpenSSL. There are 2 High, 9 Moderate, and 3 Low severity vulnerabilities in the mix.


The security community was anxious that there could be another Heartbleed (or worse) in this list. Thankfully, this is NOT the case, even among the High severity vulnerabilities. Many of these vulnerabilities are limited in their scope, impact, and/or prevalence (especially compared to Heartbleed).


The first High severity vulnerability is a DoS vulnerability that only affects OpenSSL 1.0.2 servers. If you do have servers using OpenSSL 1.0.2, prioritize remediation according to your availability requirements for such servers.


The second High severity vulnerability is actually an old vulnerability first reported on January 8th, 2015 that affects OpenSSL versions 0.9.8, 1.0.0, and 1.0.1. It’s related to the FREAK vulnerability in which a MiTM attack can be conducted against vulnerable systems by forcing them to use weak RSA export ciphersuites. It’s been reclassified from Low severity to High severity because recent research has found the prevalence of systems that support RSA export ciphersuites to be much higher than originally thought. Generally it’s worth noting that export ciphers are overdue for retirement, and we recommend that organizations using them look for ways to upgrade to more stringent encryption standards.


The impacts of the Moderate severity vulnerabilities consist of DoS conditions, segmentation faults, null pointer dereferences, and memory corruption. One of the vulnerabilities only affects servers that still support SSLv2 (which shouldn’t be used by anyone/anything). Another one only affects applications using OpenSSL to parse PKCS#7 data. Four of the nine Moderate severity vulnerabilities only affect OpenSSL 1.0.2.