Internet Storm Center
Training
Certification
Cyber Security Graduate School
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software Security
ISC StormCast for Friday, April 20th 2012 http://isc.sans.edu/podcastdetail.html?id=2479
OpenSSL Security Advisory - CVE-2012-2110
Published: 2012-04-19,
Last Updated: 2012-04-19 19:41:49 UTC
by Kevin Shortt (Version: 1)
Last Updated: 2012-04-19 19:41:49 UTC
by Kevin Shortt (Version: 1)
Earlier today, the OpenSSL team released a fix for a recently discovered vulnerability that exposes applications, that use certain features of OpenSSL, to a heap overflow.
Since OpenSSL is used extensively, there is much speculation and discussion about who is vulnerable. Here are some highlights and links of the reading I've done today.
- UPGRADE to the latest version as soon as you can. [1]
- The SSL/TLS code of OpenSSL is *not* affected. [1]
Which means, OpenSSH is NOT vulnerable. - Read a good detailed explanation of the vulnerability by Tavis Ormandy. [2]
Tavis is credited with discovering the vulnerability. - If Apache is using PEM for certificates, and not parsing untrusted data, then you risks are lower. [1]
[1] http://www.openssl.org/news/secadv_20120419.txt
[2] http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html
Feel free to post a comment to discuss anything not spoken for in this diary.
-Kevin
--
ISC Handler on Duty
Keywords: CVE 20122110 Openssl
1 comment(s)ISC StormCast for Thursday, April 19th 2012 http://isc.sans.edu/podcastdetail.html?id=2476
Comments
Please choose a specific diary above to comment
Diary Archives
