Guidance - OpenSSL Vulnerability CVE-2015-1793

This morning, OpenSSL released details of a vulnerability (CVE-2015-1793) affecting OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1 for client connections; listening servers are unaffected unless they validate client certificates.  Anyone can issue themselves a certificate for any domain and the OpenSSL library will not notice, allowing someone to impersonate a server and pass TLS/SSL based checks.  The vulnerability allows an attacker to use a leaf certificate as if they were a Certificate Authority and issue rogue certificates to themselves.  By doing this, an attacker could either create a malicious server or man in the middle an affected connection, posing as a real server to an affected client.  By appearing to have a certificate signed by a valid certificate authority, the client would remain unaware that their TLS connection was connected to an attacker rather than the desired server.

OpenSSL is a library which is commonly used to provide TLS/SSL functionality to other applications; it is installed by default on many Unix distributions. Therefore, many people will use OpenSSL without necessarily being aware of it.  Most applications use OpenSSL libraries without statically linking; thus, by upgrading the OpenSSL libraries on any given system, all other software will also be upgraded.  The notable exception to this is are applications deployed via Docker containers, as by design, libraries within the container are used rather than those provided by the operating system.

OpenSSL is not limited to Unix systems; it is open source software, and so is available for others to compile. Other operating systems, such as Microsoft Windows for example, also have versions of OpenSSL available that may need to be upgraded.

It is suggested that users running OpenSSL 1.0.2b or 1.0.2c should upgrade to 1.0.2d, and those running 1.0.1n or 1.0.1o should upgrade to 1.0.1p using the update mechanism which is appropriate to your system.