OpenSSL Hit By New High Severity Security Issue
OpenSSL has been hit by another "high" severity security vulnerability.
While OpenSSL's code has improved in the three years since the Heartbleed vulnerability, new issues continue to come up for this important open-source project. From CVE-2017-3733:
While OpenSSL's code has improved in the three years since the Heartbleed vulnerability, new issues continue to come up for this important open-source project. From CVE-2017-3733:
Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)The good news is that OpenSSL 1.0.2 isn't affected by this issue but this time around is just for OpenSSL 1.1 (pre-1.1.0e).
====================================================
Severity: High
During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected.
OpenSSL 1.1.0 users should upgrade to 1.1.0e
13 Comments