Websense Security Labs has been tracking news of a vulnerability in the implementation of OpenSSL which has far-reaching implications for its users and those impacted by its use.
The vulnerability allows a remote attacker to read the memory of systems protected by vulnerable versions of OpenSSL. Data that may be stolen includes certificates, private keys, Personally Identifiable Information (PII) and any other sensitive data.
For those not familiar with OpenSSL it is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. It is deployed in many scenarios such as within email servers and VPN systems, and can be embedded within operating systems. Any such system using the vulnerable version of OpenSSL is thus vulnerable to exploitation.
The vulnerability exists in OpenSSL v1.0.1 through v1.0.1f (also v1.0.2-beta1). Please refer to http://www.openssl.org/
The vulnerability allows a remote attacker to read the memory of systems protected by vulnerable versions of OpenSSL. Data that may be stolen includes certificates, private keys, Personally Identifiable Information (PII) and any other sensitive data.
For those not familiar with OpenSSL it is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. It is deployed in many scenarios such as within email servers and VPN systems, and can be embedded within operating systems. Any such system using the vulnerable version of OpenSSL is thus vulnerable to exploitation.
The vulnerability exists in OpenSSL v1.0.1 through v1.0.1f (also v1.0.2-beta1). Please refer to http://www.openssl.org/
