OpenSSL prior to 0.9.8za, 1.0.0 prior to 1.0.0m, and 1.0.1 prior to 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle malicious users to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
openssl openssl |
||
redhat jboss enterprise web platform 5.2.0 |
||
redhat enterprise linux 6.0 |
||
redhat storage 2.1 |
||
redhat enterprise linux 4 |
||
redhat enterprise linux 5 |
||
redhat jboss enterprise web server 2.0.1 |
||
redhat jboss enterprise application platform 5.2.0 |
||
fedoraproject fedora 20 |
||
redhat jboss enterprise application platform 6.2.3 |
||
fedoraproject fedora 19 |
||
opensuse opensuse 13.1 |
||
opensuse opensuse 13.2 |
||
filezilla-project filezilla server |
||
siemens application_processing_engine_firmware |
||
siemens cp1543-1_firmware |
||
siemens s7-1500_firmware |
||
siemens rox_firmware |
||
mariadb mariadb |
||
python python |
||
nodejs node.js |
We're upgrading it anyway. Honest, no really, yawns Ministry of Justice
The Criminal Justice Secure eMail system (CJSM) relies on insecure protocols that some security conscious organisations deliberately block, claims a Register source. CJSM is run by Vodafone on behalf of the government and designed to provide secure communications between the GSI (Government Secure Intranet) and external organisations in the criminal justice field, such as solicitors and police contractors. Security problems with the system came to El Reg’s attention following a tip-off from a ...
Synology finally patches OpenSSL bugs in Trevor's NAS
Sysadmin blog Synology quietly released version 4.2-3250 of its DiskStation Manager (DSM) operating system this month. This squashes critical security bugs in version 4.2 of DSM – bugs that were fixed in version 5.0 in June, so consider this a back port. Version 4.2 is old but still in use in various models, such as the DS109. The update got me thinking about the security of NASes and similar devices on our networks. New build 3250 addresses a kernel-level security issue as well as the six Ope...
Researcher suspended after zero-day dump
FireEye has patched a series of publicly-disclosed flaws in its operating system (FEOS) that facilitated man-in-the-middle attacks and command injection. The vulnerabilities released over June affected versions NX, EX, AX, FX, and CM of the FEOS and were patched in the first individual security bulletin for the system. The company urged customers to apply fixes. "FireEye encourages all customers to upgrade to the most current releases as soon as practical - especially customers running versions ...
Android 4.4.4 shipping just 18 days after the previous version
Android fans who are hoping Google will debut a new version of the OS at its annual I/O conference in San Francsico next week might be in for a disappointment ... because the company is rolling out a new version this week. On Friday, the Chocolate Factory published firmware images of Android 4.4.4 – yes, we're still talking "KitKat" – for the Nexus 4 and 5 phones and the Nexus 7 and 10 fondleslabs. The build number of the new release is KTU84P. There are no official release notes so far, but...
On a scale of 1 to Heartbleed, this is a 7
The OpenSSL team has pushed out fixes for six security vulnerabilities in the widely used crypto library. These holes include a flaw that enables man-in-the-middle (MITM) eavesdropping on encrypted connections, and another that allows miscreants to drop malware on at-risk systems. A DTLS invalid fragment bug (CVE-2014-0195, affects versions 0.9.8, 1.0.0 and 1.0.1) can be used to inject malicious code into vulnerable software in apps, devices and servers. DTLS is more or less TLS encryption over ...
Vulmon