In “OpenSSL”, vulnerabilities have been discovered in the process of Change Cipher Spec message in the initial SSL / TLS handshake.
Originally, the encrypted communication by SSL / TLS interrupt an attacker’s communication to users and web site path, to prevent eavesdropping or tampering with the communication content (man-in-the-middle attack).
However, when it is to exploit this vulnerability, it is not possible to prevent man-in-the-middle attacks, or the contents of the encrypted communication is compromised, there is a possibility that it has been tampered with.For vulnerability of Change Cipher Spec message processing in the “OpenSSL” (JVN # 61247051): IPA Information-technology Promotion Agency, Japan—
More vulnerability details on CVE-2014-0224 here.
New vulnerability in OpenSSL was found. Affected by this vulnerability, here are the following environment.
Server side:
- Of the OpenSSL 1.0.1 series 1.0.1g and earlier
Client side:
- Of the OpenSSL 1.0.1 series 1.0.1g and earlier
- Of the OpenSSL 1.0.0 series 1.0.0l and earlier
- Of the OpenSSL 0.9.8 series 0.9.8y and earlier
In AWS Amazon Linux, openssl package already corresponds to this vulnerability (openssl-1.0.1g-1.70.amzn1) that is able to updated through yum. OpenSSL Security Advisory
Please update the OpenSSL in Amimoto AMI in server operation, and to address this vulnerability, use sudo yum update openssl
It should be noted that, although version of OpenSSL to be updated has become a 1.0.1g-1.70, please use this with confidence because it is patched.
rpm -q openssl In the package number, check if it became 1.0.1g-1.70. For an accurate update method, please refer to this reference “for CVE-2014-0160 OpenSSL Heartbleed vulnerability” on how to check for the package number.