OpenSSL Releases Critical Updates

SUBTITLE:  Remote Code Execution | CVE-2014-0195
SUBTITLE: Man in the Middle | CVE-2014-0224
ACTION: Update OpenSSL to current version

Heartbleed part 2?! Not quite.

This is an RCE vulnerability in OpenSSL and all versions are technically vulnerable. However this is more of a concern with SSL VPN protocols than with HTTPS. There’s another separate man-in-the-middle (MITM) vulnerability too, and it’s probably worth updating… but really shouldn’t be as bad as both ends of the connection would have to be vulnerable for an exploit to work, and only version 1.0.1 is actually vulnerable on the server side.

Check CVE-2014-0195 and CVE-2014-0224 for details on the scary vulnerabilities. There are other vulnerabilities patched as well but they do not kick in the adrenaline with scary acronyms and ominous threat levels.

No action will be taken by the NOC at this point. If you don’t know if you need to deal with this, you probably don’t. If you have a webserver please take care of it ASAP. Once you’ve patched you should be on one of the following versions:

OpenSSL 0.9.8za
OpenSSL 1.0.0m
OpenSSL 1.0.1h

Details from the OpenSSL.org