New OpenSSL vulnerability is announced shortly after Heartbleed Bug scare


heartbleedIt hasn’t been long since OpenSSL Heartbleed Bug rattled the Internet and I have not posted anything on this blog because I believe bugs exist in any software. But some bugs are more serious than others. And some software is more important than other software with OpenSSL being one such example. It came as a bit of surprise to see this new bug so soon after Heartbleed in OpenSSL announced to the public yesterday in “OpenSSL Security Advisory [05 Jun 2014]“. To quote the advisory:

QUOTE: “An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.” ENDQUOTE

WebSphere Application Server, IBM Integration Bus, WebSphere MQ do not use OpenSSL and its users are not at risk. However if you are using Tomcat, ActiveMQ or other Open Source products that rely on OpenSSL you better apply upgrade quickly.



Categories: News

Tags: , ,

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: