The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSSL: four vulnerabilities

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of OpenSSL.
Impacted systems: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Unity Cisco, Cisco WSA, Debian, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Operations, HP Switch, HP-UX, AIX, Db2 UDB, IRAD, Security Directory Server, SPSS Modeler, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, McAfee Email and Web Security, McAfee Email Gateway, McAfee Web Gateway, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, Puppet, RHEL, Slackware, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, WinSCP.
Severity of this alert: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 12/06/2015.
Références of this alert: 1450666, 1610582, 1647054, 1961111, 1961569, 1964113, 1964766, 1966038, 1970103, 1972125, 9010038, 9010039, BSA-2015-006, bulletinjul2015, c04760669, c05184351, c05353965, CERTFR-2015-AVI-257, CERTFR-2015-AVI-431, CERTFR-2016-AVI-128, CERTFR-2016-AVI-303, cisco-sa-20150612-openssl, cpuapr2017, cpuoct2017, CTX216642, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, DSA-2019-197, DSA-2020-062, DSA-3287-1, FEDORA-2015-10047, FEDORA-2015-10108, FreeBSD-SA-15:10.openssl, HPSBGN03678, HPSBHF03613, HPSBUX03388, JSA10694, JSA10733, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2015:2243-1, openSUSE-SU-2016:0640-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, RHSA-2015:1197-01, SA40002, SA98, SB10122, SOL16898, SOL16913, SOL16915, SOL16938, SSA:2015-162-01, SSRT102180, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1181-1, SUSE-SU-2015:1181-2, SUSE-SU-2015:1182-2, SUSE-SU-2015:1183-1, SUSE-SU-2015:1183-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, TNS-2015-07, TSB16728, USN-2639-1, VIGILANCE-VUL-17117.

Description of the vulnerability 

Several vulnerabilities were announced in OpenSSL.

An attacker can generate an infinite loop via ECParameters, in order to trigger a denial of service. [severity:2/4; CVE-2015-1788]

An attacker can force a read at an invalid address in X509_cmp_time(), in order to trigger a denial of service. [severity:2/4; CVE-2015-1789]

An attacker can force a NULL pointer to be dereferenced via EnvelopedContent, in order to trigger a denial of service. [severity:2/4; CVE-2015-1790]

An attacker can generate an infinite loop via CMS signedData, in order to trigger a denial of service. [severity:2/4; CVE-2015-1792]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Unity Cisco, Cisco WSA, Debian, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Operations, HP Switch, HP-UX, AIX, Db2 UDB, IRAD, Security Directory Server, SPSS Modeler, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, McAfee Email and Web Security, McAfee Email Gateway, McAfee Web Gateway, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, Puppet, RHEL, Slackware, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, WinSCP.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 4 vulnerabilities.

An attacker with a expert ability can exploit this threat note.

Solutions for this threat 

OpenSSL: version 1.0.2b.
The version 1.0.2b is fixed:
  https://www.openssl.org/source/

OpenSSL: version 1.0.1n.
The version 1.0.1n is fixed:
  https://www.openssl.org/source/

OpenSSL: version 1.0.0s.
The version 1.0.0s is fixed:
  https://www.openssl.org/source/

OpenSSL: version 0.9.8zg.
The version 0.9.8zg is fixed:
  https://www.openssl.org/source/

AIX: patch for OpenSSL (15/07/2015).
A patch is available:
  ftp://aix.software.ibm.com/aix/efixes/security/openssl_fix14.tar

Blue Coat: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

Brocade: solution for OpenSSL.
The solution is indicated in information sources.

Cisco: solution for OpenSSL.
Solutions for some product are available in information sources.

Citrix NetScaler: fixed versions for LOM Firmware.
Fixed versions are indicated in information sources.

Citrix NetScaler Platform IPMI LOM: solution.
The solution is indicated in information sources.

Debian: new openssl packages.
New packages are available:
  Debian 7: openssl 1.0.1e-2+deb7u17
  Debian 8: openssl 1.0.1k-3+deb8u1

Dell EMC Unisphere for PowerMax: solution.
The solution is indicated in information sources.

Dell EMC VNXe: version MR4 Service Pack 5.
The version MR4 Service Pack 5 is fixed:
  https://www.dell.com/support/

F5 BIG-IP: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

Fedora: new openssl packages (22/06/2015).
New packages are available:
  Fedora 22: openssl 1.0.1k-10.fc22
  Fedora 21: openssl 1.0.1k-10.fc21

FileZilla Server: version 0.9.53.
The version 0.9.53 is fixed:
  https://filezilla-project.org/download.php?type=server

Fortinet: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

FreeBSD: patch for openssl.
A patch is available:
  FreeBSD 10.1: https://security.FreeBSD.org/patches/SA-15:10/openssl-10.1.patch
  FreeBSD 9.3, 8.4: https://security.FreeBSD.org/patches/SA-15:10/openssl-8.4.patch

HPE Switch Comware: patch for OpenSSL.
A patch is indicated in information sources for numerous products of the families Comware 5 and Comware 7.

HP Operations: patch for OpenSSL.
A patch is indicated in information sources. The announce provides one link for each platform.

HP-UX: fixed versions for OpenSSL.
Fixed versions are indicated in information sources:
  OpenSSL_A.01.00.01p
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I

IBM DB2: patch for OpenSSL.
A patch is indicated in information sources.

IBM DB2: version 10.1 Fix Pack 6.
The version 10.1 Fix Pack 6 is fixed.

IBM DB2: version 10.5 Fix Pack 7.
The version 10.5 Fix Pack 7 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24041243

IBM DB2: version 9.7 Fix Pack 11.
The version 9.7 Fix Pack 11 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24040935

IBM Rational Application Developer: solution for OpenSSL.
The solution is indicated in information sources.

IBM SPSS Modeler: patch for GSKit.
A patch is indicated in information sources.

IBM Tivoli Security Directory Server: patch for OpenSSL.
A patch is available in information sources for product versions 6.3, 6.3.1 et 6.4.

IBM Tivoli Workload Scheduler: patch for OpenSSL.
A patch is indicated in information sources.

IBM WebSphere MQ: fixed versions for CVE-2015-1788.
Fixed versions are indicated in information sources.

IBM WebSphere MQ: version 8.0.0.4.
The version 8.0.0.4 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg21969244
  http://www-01.ibm.com/support/docview.wss?uid=swg24037500

Juniper Junos: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

Juniper Pulse: solution for OpenSSL.
The solution is indicated in information sources.

McAfee Email and Web Security: version 5.6h1054075.
The version 5.6h1054075 est fixed:
  https://support.mcafee.com/downloads
Workarounds are indicated in the McAfee announce.

McAfee Email Gateway: version 7.6.401.
Version 7.6.401 is fixed:
  https://support.mcafee.com/downloads

McAfee Web Gateway: solution for OpenSSL.
A solution is available from McAfee.

Nessus: version 5.2.12.
The version 5.2.12 is fixed:
  http://www.tenable.com/products/nessus-vulnerability-scanner

NetApp Data: solution for OpenSSL 06/2015.
A patch is available:
  Data ONTAP Edge: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=923550
  Data ONTAP operating in 7-Mode: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=923548
  Data ONTAP SMI-S Agent: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=923545
  Snap Creator Framework: https://mysupport.netapp.com/NOW/download/software/snapcreator_framework/4.3P1/
  SnapManager for SAP win: http://mysupport.netapp.com/NOW/download/software/snapmanager_sap_win/3.4P2/
  SnapManager for SAP unix: http://mysupport.netapp.com/NOW/download/software/snapmanager_sap_unix/3.4P2/

NetBSD: patch for OpenSSL.
A patch is available in information sources.

Node.js: version 0.12.5.
The version 0.12.5 is fixed:
  https://nodejs.org/download/

OpenBSD: patch for OpenSSL.
A patch is available:
  http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/026_openssl.patch.sig
  http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/009_openssl.patch.sig

openSUSE 13.2: new libressl packages.
New packages are available:
  openSUSE 13.2: libressl 2.2.1-2.3.1

openSUSE: new libopenssl0_9_8 packages.
New packages are available:
  openSUSE 13.2: libopenssl0_9_8 0.9.8zh-9.3.1
  openSUSE Leap 42.1: libopenssl0_9_8 0.9.8zh-14.1

openSUSE: new mysql-community-server packages.
New packages are available:
  openSUSE 13.1: mysql-community-server 5.6.27-7.13.1
  openSUSE 13.2: mysql-community-server 5.6.27-2.12.1
  openSUSE Leap 42.1: mysql-community-server 5.6.27-8.1

openSUSE: new openssl packages.
New packages are available:
  openSUSE 13.2: libopenssl1_0_0 1.0.1k-2.24.1
  openSUSE 13.1: libopenssl1_0_0 1.0.1k-11.72.1

Oracle Communications: CPU of April 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2247453.1
  https://support.oracle.com/rs?type=doc&id=2248470.1
  https://support.oracle.com/rs?type=doc&id=2251718.1
  https://support.oracle.com/rs?type=doc&id=2245233.1
  https://support.oracle.com/rs?type=doc&id=2248526.1
  https://support.oracle.com/rs?type=doc&id=2250567.1

Oracle Communications: CPU of October 2017.
A Critical Patch Update is available.

PAN-OS: versions 5.0.20, 5.1.13, 6.0.14, 6.1.13, 7.0.9 and 7.1.4.
Versions 5.0.20, 5.1.13, 6.0.14, 6.1.13, 7.0.9 and 7.1.4 are fixed.

pfSense: version 2.2.3.
The version 2.2.3 is fixed:
  https://www.pfsense.org/download/mirror.php?section=updates
  https://www.pfsense.org/download/mirror.php?section=downloads

Puppet Labs Puppet: fixed versions for OpenSSL.
The following versions are fixed:
  Puppet Enterprise 3.8.1
  Puppet Agent 1.1.1

RHEL 5: new openssl packages.
New packages are available:
  RHEL 5: openssl 0.9.8e-36.el5_11

RHEL: new openssl packages.
New packages are available:
  RHEL 6: openssl 1.0.1e-30.el6_6.11
  RHEL 7: openssl 1.0.1e-42.el7_1.8

ScreenOS: version 6.3.0r22.
The version 6.3.0r22 is fixed:
  https://www.juniper.net/

Slackware: new openssl packages.
New packages are available:
  Slackware 13.0: openssl 0.9.8zg-*-1_slack13.0
  Slackware 13.1: openssl 0.9.8zg-*-1_slack13.1
  Slackware 13.37: openssl 0.9.8zg-*-1_slack13.37
  Slackware 14.0: openssl 1.0.1n-*-1_slack14.0
  Slackware 14.1: openssl 1.0.1n-*-1_slack14.1

Solaris: patch for Third Party (07/2015).
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

stunnel: version 5.18.
The version 5.18 is fixed:
  https://www.stunnel.org/downloads.html

SUSE LE 10: new openssl packages.
New packages are available:
  SUSE LE 10: openssl 0.9.8a-18.92.1

SUSE LE 11: new OpenSSL 0.9.8 packages.
New packages are available:
  SUSE LE 11: openssl 0.9.8j-0.72.1

SUSE LE 12: new openssl packages.
New packages are available:
  SUSE LE 12: libopenssl1_0_0 1.0.1i-25.1, libopenssl0_9_8 0.9.8j-78.1

SUSE LE: new OpenSSL packages 0.9.7.
New packages are available:
  SUSE LE 11: compat-openssl097g 0.9.7g-146.22.31.1
  SUSE LE 10: compat-openssl097g 0.9.7g-13.31.1

SUSE LE Security Module 11: new OpenSSL 1.0 packages.
New packages are available:
  - SUSE LE 11: openssl1 1.0.1g-0.30.1

Synology DS214, RS214: version 5.2-5592.
The version 5.2-5592 is fixed.

Ubuntu: new openssl packages.
New packages are available:
  Ubuntu 15.04: libssl1.0.0 1.0.1f-1ubuntu11.4
  Ubuntu 14.10: libssl1.0.0 1.0.1f-1ubuntu9.8
  Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.15
  Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.31

WinSCP: version 5.7.4.
The version 5.7.4 is fixed:
  http://winscp.net/eng/download.php
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a systems vulnerabilities workaround. The Vigil@nce vulnerability database contains several thousand vulnerabilities.