MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2017

MA-650.022017: MyCERT Advisory – OpenSSL Releases Security Update 
Date first published: 20/2/2017 


1.0 Introduction 
OpenSSL version 1.1.0e has been released to address a vulnerability for users of version 1.1.0.  

2.0 Impact
• Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition. 
• Description: Encrypt-Then-Mac renegotiation crash (CVE-2017-3733). During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected. 
• Severity: High 

3.0 Affected Products 
• OpenSSL 1.1.0  

4.0 Recommendation
Users of affected versions of OpenSSL are advised to apply the updates accordingly as per below: 
• OpenSSL 1.1.0 users should upgrade to 1.1.0e 


Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied. For further enquiries, please contact MyCERT through the following channels: 

Phone: 1-300-88-2999 (monitored during business hours)

Fax: +603 89453442 
Mobile: +60 19 2665850 (24x7 call incident reporting)

SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888

Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT

Cyber999 Mobile Apps: IOS Users or Android Users 

5.0 References