GlobalSign Blog

06 Jun 2014

Security Advisory: New OpenSSL Vulnerabilities Identified

Yesterday a new security advisory was published by OpenSSL highlighting six new vulnerabilities. Unlike Heartbleed, the OpenSSL vulnerability identified in April 2014, digital certificate key material is not vulnerable to exposure, with a possible exception if you are running DTLS.

The newly identified vulnerabilities include a SSL/TLS bug that could allow an attacker to exploit a Man-in-the-Middle attack (MITM) which could result in the exposure of sensitive data, and a DTLS vulnerability that could allow the injection of malicious code into vulnerable software and devices.

Recommended Actions:

  • We advise all OpenSSL users to update their systems with the patches and recommendations provided by OpenSSL immediately.
  • If you do not run DTLS, you will not need to re-issue certificates.
  • If you are running DTLS, there may be some additional steps required.  Please contact GlobalSign Support for further instructions.

Upgrade paths recommendations from the OpenSSL Security Advisory:

  • OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
  • OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h
  • OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
  • OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.
  • OpenSSL 1.0.0 users should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 users should upgrade to 1.0.1h.

Full details about the OpenSSL vulnerabilities and upgrades can be found on the OpenSSL website.

Share this Post

Subscribe to our Blog