ALERT: Preparing now for expected OpenSSL patches

Wednesday, March 18, 2015

This information was sent via email to the U-M IT Security Community on March 18, 2015.

Updates to versions of OpenSSL (Secure Sockets Layer) are expected on March 19 to address newly discovered vulnerabilities. The OpenSSL team has not yet provided information about the vulnerabilities, but has announced that one of them is classified as "high" severity.

IIA is monitoring the situation and expects to issue an alert that instructs those responsible for U-M systems running OpenSSL to update to the new versions. Here are our current recommendations:

  • Review the versions of OpenSSL you are running to determine if your systems will be affected.
  • Begin planning for the work of doing the upgrades.
  • Review the references and other information below.

Summary

The OpenSSL project team has announced that OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf will be released on March 19. The new releases will fix a number of security defects, one of which is classified as “high” severity.

Threats

 Information is not yet available.

Affected Systems

Systems running OpenSSL.

Information for Users

There is no immediate recommendation for users with regard to the OpenSSL vulnerabilities.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection.