Yesterday a new security advisory was published by OpenSSL highlighting six new vulnerabilities. Unlike Heartbleed, the OpenSSL vulnerability identified in April 2014, digital certificate key material is not vulnerable to exposure, with a possible exception if you are running DTLS.
The newly identified vulnerabilities include a SSL/TLS bug that could allow an attacker to exploit a Man-in-the-Middle attack (MITM) which could result in the exposure of sensitive data, and a DTLS vulnerability that could allow the injection of malicious code into vulnerable software and devices.
Recommended Actions:
- We advise all OpenSSL users to update their systems with the patches and recommendations provided by OpenSSL immediately.
- If you do not run DTLS, you will not need to re-issue certificates.
- If you are running DTLS, there may be some additional steps required. Please contact GlobalSign Support for further instructions.
Upgrade paths recommendations from the OpenSSL Security Advisory:
- OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
- OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
- OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h
- OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
- OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
- OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.
- OpenSSL 1.0.0 users should upgrade to 1.0.0m.
- OpenSSL 1.0.1 users should upgrade to 1.0.1h.
Full details about the OpenSSL vulnerabilities and upgrades can be found on the OpenSSL website.