Home » OpenSSL: Vulnerability enables denial of service

OpenSSL: Vulnerability enables denial of service

by admin
OpenSSL: Vulnerability enables denial of service

A security warning issued for OpenSSL has received an update from the BSI. You can read a description of the security gap including the latest updates and information about affected operating systems and products here.

The Federal Office for Security in Information Technology (BSI) released an update on December 8th, 2023 to a security vulnerability for OpenSSL that became known on April 22nd, 2020. The security vulnerability affects the operating systems UNIX and Linux as well as the products Debian Linux, FreeBSD Project FreeBSD OS, SUSE Linux, Oracle Linux, Open Source Arch Linux, Open Source OpenSSL, Tenable Security Nessus and Tenable Security Nessus Network Monitor.

The latest manufacturer recommendations regarding updates, workarounds and security patches for this vulnerability can be found here: Oracle Linux Security Advisory ELSA-2023-13024 (As of December 7th, 2023). Other useful resources are listed later in this article.

Security notice for OpenSSL – Risk: medium

Risk level: 3 (medium)
CVSS Base Score: 7,5
CVSS Temporal Score: 6,7
Remoteangriff: Ja

The Common Vulnerability Scoring System (CVSS) is used to assess the vulnerability of computer systems. The CVSS standard makes it possible to compare potential or actual security vulnerabilities based on various metrics in order to better prioritize countermeasures. The attributes “none”, “low”, “medium”, “high” and “critical” are used to determine the severity levels of a vulnerability. The Base Score evaluates the requirements for an attack (including authentication, complexity, privileges, user interaction) and its consequences. With the temporal score, framework conditions that can change over time are taken into account in the evaluation. The severity of the current vulnerability is classified as “medium” according to the CVSS with a base score of 7.5.

See also  Krypton Evening News丨Apple Customer Service: Power cuts have no effect on iPhone13, and orders can be placed normally; reports say that the location of Samsung's second US wafer fab is about to be finalized, with an investment of up to 17 billion US dollars; Ministry of Education: no illegal activities during National Day Subject Off-campus Training_Detailed Interpretation_Latest News_Hot Events-36kr

OpenSSL Bug: Vulnerability enables denial of service

OpenSSL is a freely available source code library that implements Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

A remote, anonymous attacker could exploit a vulnerability in OpenSSL to conduct a denial of service attack.

The vulnerability was classified using the CVE designation system (Common Vulnerabilities and Exposures) by the individual serial number CVE-2020-1967.

Systems affected by the OpenSSL security vulnerability at a glance

Operating systems
UNIX, Linux

Products
Debian Linux (cpe:/o:debian:debian_linux)
FreeBSD Project FreeBSD OS (cpe:/o:freebsd:freebsd)
SUSE Linux (cpe:/o:suse:suse_linux)
Oracle Linux (cpe:/o:oracle:linux)
Open Source Arch Linux (cpe:/o:archlinux:archlinux)
Open Source OpenSSL Tenable Security Nessus (cpe:/a:tenable:nessus)
Tenable Security Nessus Network Monitor (cpe:/a:tenable:nessus_network_monitor)

General measures for dealing with IT security gaps

Users of the affected applications should keep them up to date. When security gaps become known, manufacturers are required to fix them as quickly as possible by developing a patch or a workaround. If new security updates become available, install them promptly. For information, consult the sources listed in the next section. These often contain further information about the latest version of the software in question as well as the availability of security patches or information about workarounds. If you have any further questions or uncertainties, please contact your responsible administrator. IT security managers should regularly check the sources mentioned to see whether a new security update is available.

Sources of updates, patches and workarounds

Here you will find further links with information about bug reports, security fixes and workarounds.

Oracle Linux Security Advisory ELSA-2023-13024 vom 2023-12-07 (08.12.2023)
For more information, see:

See also  GitLab: New vulnerability! UNIX and Linux affected

Oracle Linux Security Advisory ELSA-2023-13026 vom 2023-12-07 (08.12.2023)
For more information, see:

Oracle Linux Security Advisory ELSA-2023-32791 vom 2023-12-07 (08.12.2023)
For more information, see:

Oracle Linux Security Advisory ELSA-2023-32790 vom 2023-12-07 (08.12.2023)
For more information, see:

Oracle Linux Security Advisory ELSA-2023-13027 vom 2023-12-07 (08.12.2023)
For more information, see:

Oracle Linux Security Advisory ELSA-2023-13025 vom 2023-12-07 (08.12.2023)
For more information, see:

Tenable Security Advisory (03.02.2021)
For more information, see:

Tenable Security Advisory (03.02.2021)
For more information, see:

SUSE Security Update SUSE-SU-2020:2041-1 vom 2020-07-24 (27.07.2020)
For more information, see:

Tenable Security Advisory (03.06.2020)
For more information, see:

securityaffairs.co from 2020-05-05 (06.05.2020)
For more information, see:

Tenable Security Advisory (29.04.2020)
For more information, see:

Arch Linux Security Advisory ASA-202004-19 vom 2020-04-24 (24.04.2020)
For more information, see:

Microsoft Security Update Guide ADV200007 dated 2020-04-21 (22.04.2020)
For more information, see:

SUSE Security Update SUSE-SU-2020:1058-1 vom 2020-04-21 (22.04.2020)
For more information, see:

FreeBSD Security Advisory FreeBSD-SA-20:11.openssl vom 2020-04-21 (22.04.2020)
For more information, see:

Debian Security Advisory DSA-4661-1 vom 2020-04-21 (22.04.2020)
For more information, see:

Arch Linux Security Advisory ASA-202004-18 vom 2020-04-21 (22.04.2020)
For more information, see:

OpenSSL Security Advisory 20200421 vom 2020-04-21 (22.04.2020)
For more information, see:

Version history of this security alert

This is the 8th version of this IT security notice for OpenSSL. This text will be updated as further updates are announced. You can read about changes or additions in this version history.

April 22, 2020 – Initial version
April 24, 2020 – New updates of Arch Linux added
April 29, 2020 – New updates from Tenable added
May 6, 2020 – Exploit added
June 3, 2020 – New updates from Tenable added
July 27, 2020 – New updates from SUSE added
02/03/2021 – New updates from Tenable added
12/08/2023 – New updates to Oracle Linux added

See also  Mario Kart 8 Deluxe Edition 3rd wave of DLC previewed this winter | 4Gamers

+++ Editorial note: This text was created using AI based on current BSI data. We accept feedback and comments at [email protected]. +++

follow News.de already at Facebook, Twitter, Pinterest and YouTube? Here you will find hot news, current videos and a direct line to the editorial team.

Edited by kns

roj/news.de

You may also like

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy