Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

OpenSSL fixes DoS flaw introduced by critical DTLS patch

OpenSSL fixed a denial-of-service vulnerability introduced by a patch to prevent DTLS plain text recovery attacks

The OpenSSL Project has released new versions of the popular OpenSSL library in order to address a denial-of-service (DoS) vulnerability that was introduced by a critical patch issued on Jan. 6.

"A flaw in the fix to CVE-2011-4108 can be exploited in a denial of service attack," the OpenSSL developers warned in a newly published advisory. The issue has been addressed in the new OpenSSL 1.0.0g and 0.9.8t versions released on Wednesday.

CVE-2011-4108 refers to a serious vulnerability in OpenSSL's implementation of the DTLS (Datagram Transport Layer Security) protocol, which allows attackers to decrypt secured communications without knowing the encryption key.

The vulnerability was discovered by Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (RHUL), while investigating weaknesses in the CBC (Cipher-block chaining) mode of operation.

The researchers plan to present their "padding oracle attack" against DTLS at the 19th Annual Network & Distributed System Security (NDSS) Symposium in February. Padding oracle attacks work by analyzing timing differences that arise during the decryption process in order to recover plain text from encrypted communications.

Users who have not yet upgraded to OpenSSL 1.0.0f or 0.9.8s in order to protect their DTLS applications against CVE-2011-4108, are advised to upgrade directly to the newly released OpenSSL 1.0.0g or 0.9.8t.

OpenSSL is available for a wide variety of platforms, including Linux, Solaris, Mac OS X, BSD, Windows and OpenVMS. Some of these operating systems include OpenSSL by default and deliver updates for it through their own channels.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: etwork, Linux, University of London
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Exploits / vulnerabilities, security, University of London
Latest Blog Posts
Whitepapers
  • Blurring boundaries: The disappearing gap between work and home life
    Call it multi-tasking, life-splicing or bleisure but increasingly, fuelled by advances in technology, employees are blurring the boundaries between home and work. ‘Generation Standby’ employees, never truly ‘switched off’ and always ready to be called upon, are now enjoying, and expecting, greater levels of flexibility and mobility than ever before. Read on.
    Learn more »
  • 5 Best Practices for Achieving Peak Performance in SAP Environments
    Given how deeply businesses rely on their SAP systems, it’s simple to see that maximizing performance and uptime is critical. What’s not so simple is figuring out how to understand, let alone optimize, performance in these complex, dynamic, and interrelated ecosystems. This paper offers five best practices that can help administrators more effectively measure and improve SAP performance.
    Learn more »
  • EMC 15-Minute Guide to Smarter Backup Transform your future
    Backup and recovery has become fundamental part of business and an essential element of information management. Information is useless to customers, employees, or business partners can't access it when it is needed. Availability and integrity of information, of the lack of, can directly impact revenues and profits - as well as company reputations. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments