SecurityCenter and the Tenable Appliance are potentially impacted by vulnerabilities in OpenSSL that were recently disclosed and fixed. Note that due to the time involved in doing a full analysis of the issue, Tenable has opted to patch the included version of OpenSSL as a precaution, and to save time. CVE-2015-3194 - crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter. (SecurityCenter) CVE-2015-3195 - The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application. (3.x Appliance) CVE-2015-7575 - The Transport Layer Security (TLS) protocol contains a flaw that is due to the program accepting RSA-MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange messages. This may allow a remote attacker to theoretically conduct collision-based forgery attacks. (3.x Appliance) Based on a very cursory examination, it is believed that SecurityCenter is not impacted by CVE-2015-3195 or CVE-2015-3196, which were also fixed in this OpenSSL release. Regardless, this patch resolves those issues as well. Based on Developer input, the Tenable Appliance 3.x.y releases were affected by CVE-2015-3195 and CVE-2015-7575. The Tenable Appliance 4.0.0 release is not affected by CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 and CVE-2015-7575. Please note that Tenable strongly recommends that Tenable products be installed on a subnet that is not Internet addressable.
Vulmon