Multiple vulnerabilities in OpenSSL could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition.
This update addresses multiple vulnerabilities that are due to insufficient bounds checking by the affected software along with insufficient validation of user-supplied input processed by certain functions implemented in the affected software. An attacker could exploit these vulnerabilities by submitting crafted input to a targeted system, causing the system to become unresponsive or crash and resulting in a DoS condition.
In addition, an attacker in a man-in-the-middle position between a targeted system and a system that is communicating with the targeted system could conduct a SWEET32 attack, identified as CVE-2016-2183, to access sensitive information.
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators are advised to monitor affected systems.
OpenSSL has released a security advisory at the following link: OpenSSL Security Advisory (September 22, 2016)
OpenSSL has released software updates at the following link: OpenSSL Downloads
CentOS packages can be updated using the up2date or yum command.
FreeBSD has released a security advisory at the following link: FreeBSD-SA-16:26.openssl
FreeBSD has released a software patches at the following links:
FreeBSD has released a VuXML document at the following link: OpenSSL -- multiple vulnerabilities
FreeBSD has released ports collection updates at the following link: Ports Collection Index
Red Hat has released CVE statements and security advisories for bugs 1341705, 1377600
, and 1343400 at the following links: RHSA-2016-1940
, RHSA-2017-0193, and RHSA-2017-0194
Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later by using the yum tool.