Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

OpenSSL patch fixes DoS vulnerability introduced by last patch

Popular security library updated to fix serious flaw

Article comments

The OpenSSL Project has released new versions of the popular OpenSSL library in order to address a denial-of-service (DoS) vulnerability that was introduced by a critical patch issued on Jan. 6.

"A flaw in the fix to CVE-2011-4108 can be exploited in a denial of service attack," the OpenSSL developers warned in a newly published advisory. The issue has been addressed in the new OpenSSL 1.0.0g and 0.9.8t versions.

CVE-2011-4108 refers to a serious vulnerability in OpenSSL's implementation of the DTLS (Datagram Transport Layer Security) protocol, which allows attackers to decrypt secured communications without knowing the encryption key.

The vulnerability was discovered by Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (RHUL), while investigating weaknesses in the CBC (Cipher-block chaining) mode of operation.

The researchers plan to present their "padding oracle attack" against DTLS at the 19th Annual Network & Distributed System Security (NDSS) Symposium in February. Padding oracle attacks work by analyzing timing differences that arise during the decryption process in order to recover plain text from encrypted communications.

Users who have not yet upgraded to OpenSSL 1.0.0f or 0.9.8s in order to protect their DTLS applications against CVE-2011-4108, are advised to upgrade directly to the newly released OpenSSL 1.0.0g or 0.9.8t.

OpenSSL is available for a wide variety of platforms, including Linux, Solaris, Mac OS X, BSD, Windows and OpenVMS. Some of these operating systems include OpenSSL by default and deliver updates for it through their own channels.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *