MyCERT Advisories, Alerts and Summaries for the year 2017
MA-650.022017: MyCERT Advisory – OpenSSL Releases Security Update
Date first published: 20/2/2017
OpenSSL version 1.1.0e has been released to address a vulnerability for users of version 1.1.0.
• Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition.
• Description: Encrypt-Then-Mac renegotiation crash (CVE-2017-3733). During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected.
• Severity: High
3.0 Affected Products
• OpenSSL 1.1.0
Users of affected versions of OpenSSL are advised to apply the updates accordingly as per below:
• OpenSSL 1.1.0 users should upgrade to 1.1.0e
Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied. For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442 Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT