Nessus and SecurityCenter are potentially impacted by several vulnerabilities in OpenSSL that were recently disclosed and fixed. Note that due to the time involved in doing a full analysis of each issue, Tenable has opted to upgrade the included version of OpenSSL as a precaution, and to save time. The issues include: CVE-2016-2107 - OpenSSL AES-NI CBC MAC Check Padding Oracle MitM Information Disclosure CVE-2016-2105 - OpenSSL crypto/evp/encode.c EVP_EncodeUpdate() Function Heap Buffer Overflow Weakness CVE-2016-2106 - OpenSSL crypto/evp/evp_enc.c EVP_EncryptUpdate() Function Heap Buffer Overflow Weakness CVE-2016-2176 - OpenSSL crypto/x509/x509_obj.c X509_NAME_oneline() Function ASN1 Strings Handling Out-of-bounds Read Memory Disclosure CVE-2016-2109 - OpenSSL crypto/asn1/a_d2i_fp.c ASN.1 BIO Length Field Handling Memory Exhaustion Remote DoS Notes and caveats: Nessus Agents are not affected by these issues, as they do not act as an SSL server. The CVSS score reflects CVE-2016-2108. Please note that Tenable strongly recommends products be installed on a subnet that is not Internet addressable.