Skip to content

Multiple OpenSSL Vulnerabilities

Jump to bottom
Fabien edited this page Apr 17, 2024 · 1 revision

Overview

This page provides a comprehensive overview of multiple vulnerabilities affecting various versions of OpenSSL, a widely used library for implementing SSL and TLS protocols. These vulnerabilities range from buffer overflows and use-after-free errors to insufficient validation of input, which can lead to denial of service, information disclosure, or remote code execution.

All vulnerabilities affected:

  • OpenSSL 1.0.2 < 1.0.2zj Vulnerability
  • OpenSSL 1.1.1 < 1.1.1l Vulnerability
  • OpenSSL 1.1.1 < 1.1.1m Vulnerability
  • OpenSSL 1.1.1 < 1.1.1n Vulnerability
  • OpenSSL 1.1.1 < 1.1.1o Vulnerability
  • OpenSSL 1.1.1 < 1.1.1p Vulnerability
  • OpenSSL 1.1.1 < 1.1.1q Vulnerability
  • OpenSSL 1.1.1 < 1.1.1t Multiple Vulnerabilities
  • OpenSSL 1.1.1 < 1.1.1u Multiple Vulnerabilities
  • OpenSSL 1.1.1 < 1.1.1u Multiple Vulnerabilities
  • OpenSSL 1.1.1 < 1.1.1v Vulnerability
  • OpenSSL 1.1.1 < 1.1.1x Vulnerability
  • OpenSSL 3.0.0 < 3.0.10 Multiple Vulnerabilities
  • OpenSSL 3.0.0 < 3.0.11 Vulnerability
  • OpenSSL 3.0.0 < 3.0.12 Vulnerability
  • OpenSSL 3.0.0 < 3.0.13 Vulnerability
  • OpenSSL 3.1.0 < 3.1.3 Vulnerability
  • OpenSSL 3.1.0 < 3.1.4 Vulnerability
  • OpenSSL 3.1.0 < 3.1.5 Vulnerability

Impact

The impact of these vulnerabilities varies but generally includes:

  • Denial of Service (DoS): Crash the service or consume excessive system resources, rendering the system unresponsive.
  • Information Disclosure: Expose sensitive information to an attacker, such as private keys or user data.
  • Remote Code Execution: Allow attackers to execute arbitrary code on the system, potentially gaining full control.

Affected Versions

The following versions of OpenSSL are affected by various vulnerabilities:

  • OpenSSL 1.0.2 series (up to 1.0.2zj)
  • OpenSSL 1.1.1 series (from 1.1.1l to 1.1.1x)
  • OpenSSL 3.0.0 series (up to 3.0.13)
  • OpenSSL 3.1.0 series (up to 3.1.5)

Solution

Upgrading OpenSSL:

The primary mitigation for these vulnerabilities is to upgrade to the latest patched versions of OpenSSL. Ensure you download the latest versions from the official OpenSSL website.

  • OpenSSL 1.0.2: Upgrade to the latest provided version if you are using this for compatibility reasons.
  • OpenSSL 1.1.1: Users should upgrade to the latest 1.1.1 series release.
  • OpenSSL 3.x: Upgrade to the latest release available in the 3.0 or 3.1 series.

Configuration Changes:

  • Disable deprecated protocols and ciphers that contribute to vulnerabilities.
  • Use strong configuration settings in your SSL/TLS deployment to reduce the risk of exploitation.

Patch Management:

  • Regularly check for security updates related to OpenSSL and apply them as soon as they are available.
  • Subscribe to OpenSSL mailing lists to stay informed about new releases and security advisories.

Examples

Check OpenSSL Version in bash:

openssl version

Update OpenSSL on Ubuntu/Debian in bash:

sudo apt-get update && sudo apt-get install --only-upgrade openssl

Update OpenSSL on CentOS/Red Hat in bash:

sudo yum update openssl

References

Additional Resources

Navigation

  • Home - Return to this main page.
  • Explore detailed vulnerability categories and entries via the sidebar.

Microsoft Related Vulnerabilities

SSL/TLS Related

OpenSSL Related Vulnerabilities

Apache Related Vulnerabilities

Java/Oracle Related Vulnerabilities

Miscellaneous Vulnerabilities

Miscellaneous

  • Template -> Use this template for new vulnerabilities
Clone this wiki locally