For Vulnerability CVE-2014-0224 Change Cipher Spec Message Processing

In “OpenSSL”, vulnerabilities have been discovered in the process of Change Cipher Spec message in the initial SSL / TLS handshake.
Originally, the encrypted communication by SSL / TLS interrupt an attacker’s communication to users and web site path, to prevent eavesdropping or tampering with the communication content (man-in-the-middle attack).
However, when it is to exploit this vulnerability, it is not possible to prevent man-in-the-middle attacks, or the contents of the encrypted communication is compromised, there is a possibility that it has been tampered with.For vulnerability of Change Cipher Spec message processing in the “OpenSSL” (JVN # 61247051): IPA Information-technology Promotion Agency, Japan

More vulnerability details on CVE-2014-0224 here. 


New vulnerability in OpenSSL was found. Affected by this vulnerability, here are the following environment.

Server side:

  • Of the OpenSSL 1.0.1 series 1.0.1g and earlier

Client side:

  • Of the OpenSSL 1.0.1 series 1.0.1g and earlier
  • Of the OpenSSL 1.0.0 series 1.0.0l and earlier
  • Of the OpenSSL 0.9.8 series 0.9.8y and earlier

In AWS Amazon Linux, openssl package already corresponds to this vulnerability (openssl-1.0.1g-1.70.amzn1) that is able to updated through yum. OpenSSL Security Advisory


Please update the OpenSSL in Amimoto AMI in server operation, and to address this vulnerability, use sudo yum update openssl

It should be noted that, although version of OpenSSL to be updated has become a 1.0.1g-1.70, please use this with confidence because it is patched.

rpm -q openssl In the package number, check if it became 1.0.1g-1.70. For an accurate update method, please refer to this reference “for CVE-2014-0160 OpenSSL Heartbleed vulnerability” on how to check for the package number.