ADVISORY: OpenSSL upgrades fix numerous security problems

Thursday, March 19, 2015

This information was sent to U-M IT staff groups March 19, 2015. 
Note: Some message recipients who use M+Google Mail have reported that Google put it in their spam folder. If this happened to you, please mark the message as "Not Spam."

This information is intended for U-M IT staff who are responsible for maintaining and running university machines that run OpenSSL.

Summary: 

OpenSSL has released new versions (1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf) that fix numerous security problems, two of which are classified as high severity. No active exploits have been reported at this time. IIA recommends that those responsible for machines running OpenSSL upgrade to the new versions according to their normal planned update schedules after appropriate testing.

While this is not an emergency upgrade, it is important that you complete this patching in a timely manner.

Affected Systems: 

Systems running OpenSSL.

Action Items: 

Upgrade to the new versions according to normal planned update schedules after appropriate testing. Many of you have likely already done the OpenSSL 1.0 and 0.9 upgrades in response to the FREAK vulnerability announced earlier in March.

  • OpenSSL 1.0.2: upgrade to 1.0.2a
  • OpenSSL 1.0.1: upgrade to 1.0.1m.
  • OpenSSL 1.0.0: upgrade to 1.0.0r.
  • OpenSSL 0.9.8: upgrade to 0.9.8zf.

For technical details about the remaining security problems fixed by the upgrades, see the OpenSSL Security Advisory.

Technical Details: 

No active exploits have been reported at this time. These two security issues are classified as high severity:

  • OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291). If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server.
  • RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204). This is a reclassification from low to high severity of a previously announced security issue, the FREAK vulnerability. IIA recommended updates in response to the FREAK vulnerability on March 4.
Information for Users: 

Users do not need to take any specific actions because of the OpenSSL vulnerabilities other than to continue to follow safe computing best practices:

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

Sincerely, 
Sol Bermann, 
Interim University of Michigan Chief Information Security Officer 
Privacy Officer and IT Policy, Compliance and Enterprise Continuity Strategist