Security News > 2021 > February > Three New Vulnerabilities Patched in OpenSSL

Three New Vulnerabilities Patched in OpenSSL
2021-02-17 09:31

The OpenSSL Project on Tuesday announced the availability of patches for three vulnerabilities, including two that can be exploited for denial-of-service attacks and one related to incorrect SSLv2 rollback protection.

The flaw was reported to OpenSSL developers by Google Project Zero researcher Tavis Ormandy and it has been patched with the release of OpenSSL 1.1.1j. Versions 1.1.1i and earlier are impacted.

Another low-severity issue, CVE-2021-23839, was reported to the OpenSSL Project by researchers at cybersecurity firm Trustwave, who discovered that servers using OpenSSL 1.0.2 are vulnerable to SSL version rollback attacks.

An attack can only be launched against certain configurations and OpenSSL 1.1.1 is not impacted.

CVE-2021-23839 has been patched in version 1.0.2y. However, OpenSSL 1.0.2 is no longer supported so the update is only available to premium support customers.

OpenSSL has come a long way in terms of security since the disclosure of the vulnerability dubbed Heartbleed back in 2014.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/9niBIQezyfo/three-new-vulnerabilities-patched-openssl

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-02-16 CVE-2021-23839 Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products
OpenSSL 1.0.2 supports SSLv2.
network
high complexity
openssl oracle siemens CWE-327
3.7
3.7

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Openssl 2 12 92 51 16 171