OpenSSL has recently disclosed a high severity vulnerability that may require you to upgrade your version of OpenSSL.
Comodo anticipates this flaw will only affect a small percentage of installations, largely because the bug only affects those that installed the OpenSSL release from June 2015. There are no reports of this bug being exploited in the wild.
Affected OpenSSL versions
1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
What is the flaw?
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate.
This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
How do I fix it?
Any systems using one of the vulnerable versions listed above need to be upgraded as follows:
– OpenSSL 1.0.2b/1.0.2c users should upgrade to OpenSSL 1.0.2d
– OpenSSL 1.0.1n/1.0.1o users should upgrade to OpenSSL 1.0.1p
If you are not running one of the versions above then you need take no action.
Red Hat has also announced that no Red Hat products are affected by the flaw described in CVE-2015-1793. It is expected that CentOS and Ubuntu are also not impacted.
The full announcement from OpenSSL is here https://www.openssl.org/news/secadv_20150709.txt
As always, Comodo is available to offer help and advice to our customers should they have further questions.
The Comodo CA team