OpenSSL Update Released for "Alternative chains certificate forgery" Vulnerability
<p>
Websense® Security Labs™ have, since Monday 6 July, been looking out for details of an anticipated release to the OpenSSL open source toolkit for SSL/TLS.</p>
<p>
Today (9 July 2015) the OpenSSL Project released an update to the popular toolkit detailed in the Security Advisory available here: <a href="https://www.openssl.org/news/secadv_20150709.txt">https://www.openssl.or...
<p>
<img alt="" src="/sites/default/files/blog/legacy/1307.openssl_cve20151793.png-550x0.png" style="height:190px; width:549px" /></p>
<p>
The advisory details an implementation error in the logic around certificate chains. The so-called "Alternative chains certificate forgery" issue permits an attacker to bypass certain checks enabling them to use a valid leaf certificate to act as a CA (Certificate Authority) and generate certificates.</p>
<p>
The issue has been assigned CVE-2015-1793 and is classified as "High" severity.</p>
<p>
If you are using one of the affected versions of OpenSSL (1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o) we encourage you to consider applying the latest version of OpenSSL if applicable to your environment and deployment. The availability details and release notes for OpenSSL v1.0.2d (for example) can be found here: <a href="https://mta.openssl.org/pipermail/openssl-announce/2015-July/000039.html...
<p>
The advance warning of a forthcoming release was made on 6 July 2015. That is archived here:<a href="https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html...
<p>
It is recommended that users of OpenSSL, and similar toolkits, adopt a process to monitor for such notifications and build a patch management process suitable for their needs.</p>
