The OpenSSL Project has pushed out new releases of the popular eponymous open-source cryptographic library, which fix four serious vulnerabilities, including the POODLE (Padding Oracle On Downgraded Legacy Encryption) problem.
The latter has been addressed by adding support for TLS_FALLBACK_SCSV to prevent an MITM attacker to force a protocol downgrade, and by patching a bug that allowed servers to accept and complete a SSL 3.0 handshake and clients to send them even if OpenSSL is configured with “no-ssl3” as a build option.
The other two fixed bugs allow memory leaks that could be exploited by attackers looking for a way to launch DoS attacks against servers.
The more serious of the two can be exploited by an attacker sending a carefully crafted handshake message to the server which will prevent OpenSSL to free up to 64k of memory. Repeating this action many time would lead to the server exhausting available memory and, ultimately, it would make it crash altogether or cause performance degradation.
The new OpenSSL versions are 1.0.1j, 1.0.0o and 0.9.8zc (download here). It’s also good to know that this release marks the last patch for OpenSSL 0.9.8.
The OpenSSL team has had a busy year when it comes to patching. In April they had to deal with the Heartbleed vulnerability, and in June with critical MITM and code execution flaws.