Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016

From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
Date:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016 

Advisory ID: cisco-sa-20160927-openssl

Revision: 1.0

For Public Release 2016 September 27 22:40 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======


On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as \u20ac\u0153Critical Severity,\u20ac one as \u20ac\u0153Moderate Severity,\u20ac and the other 12 as \u20ac\u0153Low Severity.\u20ac

Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. These vulnerabilities affect the OpenSSL versions that were released to address the vulnerabilities disclosed in the previous advisory. One of the new vulnerabilities was rated as \u20ac\u0153High Severity\u20ac and the other as \u20ac\u0153Moderate Severity.\u20ac

Of the 16 released vulnerabilities:
    Fourteen track issues that could result in a denial of service (DoS) condition
    One (CVE-2016-2183, aka SWEET32) tracks an implementation of a Birthday attack against Transport Layer Security (TLS) block ciphers that use a 64-bit block size that could result in loss of confidentiality
    One (CVE-2016-2178) is a timing side-channel attack that, in specific circumstances, could allow an attacker to derive the private DSA key that belongs to another user or service running on the same system

Five of the 16 vulnerabilities affect exclusively the recently released OpenSSL versions that belong to the 1.1.0 code train, which has not yet been integrated into any Cisco product.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBV+r9R689gD3EAJB5AQIs2g//TXbk+qIT/kKxt/MJOUQLkID2tdWZr8Ls
2vcQm5EI8HKr+qSFih3/jyRl5A4LSZsZjQPIo6IxpGKtFLBleBH89l+4rh5D9Hit
/hpQGgIXt57yUug6vHqZiU/zh65pifVCOqvu2E7Gy6pd530AqLhRjK5IKND4GFaW
M2QPwrM2DYchWBuFIA7/r63HFQneaZqzHfR/wA1hhcvWUkDR9h9DaLbX15vG7CHI
J1rAgywVeLOMN7VjDwadvtNfDECnLYeSP91380oL6dB4zyeO18YoHHHYuFTphRSb
umz2zdU8Ku6QBXnUvJjAW3QtzvPX3scjXOgeJqHMLK+38tPkoHZvQeGRfGNmKDEQ
0fA1xFQLlRtetjKGC0L74IjdUXklvyTuGbn5P5CP+vBTLaWCcc/rqfY67NfNtIqp
SKz+9UtprxAlLN3BKkCSzIiKS3BDokbOEORHCEYEmbYkwUNVp0KEXKgAgNlFO/BS
yaL+CDxxiRdbnFixUcG8/xQj584xwOm/cp1u8otySYfSd70oTMqP11VXh+WB+6hT
zHhSMOvLzpLeM++m121ojARIXbXTQLGziLHaRSi8WH+OuB6rceic0f0HwLlBCRlk
LFxQunW2EawYlJGV5Czld4vdoHBSDGcP8bOg9M4LUtA+sKCGpgrTPombG98mhuut
7i2jUMZa7K8=
=KS16
-----END PGP SIGNATURE-----





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.