Welcome Guest. Please Login or Register  


You are here: Index > Webuzo > General Support > Topic : OpenSSL Vulnerability [CVE-2018-0732 & CVE-2018-0737]



Threaded Mode | Print  

 OpenSSL Vulnerability [CVE-2018-0732 & CVE-2018-0737] (0 Replies, Read 1187 times)
webuzo_manager
Group: Webuzo Team
Post Group: Elite Member
Posts: 271
Status:
Hi,

We have updated OpenSSL to the latest LTS version: <strong>1.0.2 p</strong>

The above update includes fix for the following Vulnerabilities:

CVE-2018-0732:
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).

Find more info at: https://nvd.nist.gov/vuln/detail/CVE-2018-0732">https://nvd.nist.gov/vuln/detail/CVE-2018-0732

CVE-2018-0737:
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).

Find more info at: https://nvd.nist.gov/vuln/detail/CVE-2018-0737">https://nvd.nist.gov/vuln/detail/CVE-2018-0737

We recommend all users to update OpenSSL, Webserver and related Libraries to protect your server against the above attacks.

Let me know if you have any questions in the comment section.

Regards,
The Webuzo Team
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is December 11, 2018, 2:20 pm.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.093