As promised earlier this week, OpenSSL released a patch for a high severity bug impacting versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
The security issue, an alternative chains certificate forgery bug (CVE-2015-1793), was reported to OpenSSL in late June by Google security engineer Adam Langley and Google developer David Benjamin, a Thursday security advisory said.
The vulnerability was said to impact “any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.”
Exploitation of the bug could allow an attacker to “cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and ‘issue' an invalid certificate,” the advisory explained.
OpenSSL 1.0.2b and 1.0.2c users can upgrade to 1.0.2d to employ the fix, while 1.0.1n and 1.0.1o users can move to version 1.0.1p.
Network Security, Patch/Configuration Management, Vulnerability Management
OpenSSL patches high severity bug allowing certificate forgery
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds