Security News > 2020 > December > Cybersecurity Agencies Warn of High-Severity OpenSSL Vulnerability

Computer emergency response teams and other cybersecurity agencies around the world have released alerts and advisories for a recently disclosed denial-of-service vulnerability affecting OpenSSL, and vendors have started assessing the impact of the flaw on their products.

The OpenSSL Project announced this week that OpenSSL 1.1.1i fixes a high-severity vulnerability that can be exploited for remote DoS attacks.

"The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL NAME cmp which compares different instances of a GENERAL NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack," the OpenSSL Project said in its advisory.

The list of national cybersecurity agencies that have released advisories and alerts for CVE-2020-1971 includes Japan's JPCERT, France's CERT-FR, India's National Critical Information Infrastructure Protection Center, and Australia's AusCERT. The European Union's CERT-EU has shared links to news articles and advisories covering CVE-2020-1971.

Palo Alto Networks published an advisory on Wednesday to inform customers that the OpenSSL vulnerability does not impact its PAN-OS, GlobalProtect App, or Cortex XSOAR products.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/j5TjHB-usHo/cybersecurity-agencies-warn-high-severity-openssl-vulnerability