Threat Level: green Handler on Duty: Brad Duncan

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC StormCast for Friday, April 20th 2012

OpenSSL Security Advisory - CVE-2012-2110

Published: 2012-04-19
Last Updated: 2012-04-19 19:41:49 UTC
by Kevin Shortt (Version: 1)
1 comment(s)

Earlier today, the OpenSSL team released a fix for a recently discovered vulnerability that exposes applications, that use certain features of OpenSSL, to a heap overflow.

Since OpenSSL is used extensively, there is much speculation and discussion about who is vulnerable.  Here are some highlights and links of the reading I've done today.  

  • UPGRADE to the latest version as soon as you can. [1]
  • The SSL/TLS code of OpenSSL is *not* affected. [1]
    Which means, OpenSSH is NOT vulnerable.
  • Read a good detailed explanation of the vulnerability by Tavis Ormandy.  [2]  
    Tavis is credited with discovering the vulnerability. 
  • If Apache is using PEM for certificates, and not parsing untrusted data, then you risks are lower. [1]


Feel free to post a comment to discuss anything not spoken for in this diary.

ISC Handler on Duty

1 comment(s)
ISC StormCast for Thursday, April 19th 2012
Diary Archives