-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0064 Title: OpenSSL Security Advisory - Invalid TLS/DTLS record attack [1] Version history: 15.05.2012 Initial publication Summary ======= A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and DTLS can be exploited in a denial of service attack or arbitrary code execution on both clients and servers.[1,3] CVE-2012-2333 CVSS v2 Base Score:7.5 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:P/A:P) [2,4] Vulnerable systems ================== DTLS applications are affected in all versions of OpenSSL. TLS is only affected in OpenSSL 1.0.1 and later. What can you do? ================ Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x [1] What to tell your users? ======================== N/A More information ================ [1] http://www.openssl.org/news/secadv_20120510.txt [2] https://access.redhat.com/security/cve/CVE-2012-2110 [3] https://bugzilla.redhat.com/show_bug.cgi?id=820686 [4] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well. Data Protection: CERT-EU complies with EU Regulation 45/2001 with regards to personal data protection. Our privacy statement is published here http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJPsntcAAoJEPpzpNLI8SVoCy8QAK2sPGO2BzjNJWk71GsLrps0 /Peb+E/hOxKoCgKTKVctJJwRTMzxYPU4hEgoBavhyZJXqY1J5PIpWNYm+fQdO3lN ARizhaEVE5274C5+VU/7F5oznQWY5m35apwTDBOClUo6u8KxGbxTZIQDyMALJr5V 7CERSsQEOOGGisHftILh7u4ztUGkbogIUs6zLn/k6jQBCk5gHg27bU5DEJfoFe48 2kZUgKHFVibh60fBY+q29ygLAaZctZiLftBxxK2ruSco9GRaAdlN/r0yNchFBe20 7ZEEfB0pzpkscTa57CgwudIJysGRXo2UW+NondqNXEEgx6jQaAIM2LYIQ1ueU6Fl d1Gm2CKE48GkR6Yg1cPRys+ziaUkUM0Bc5XvgvSpy4c/GtCAHSApRFUiwDfRik+0 UpwfgXEgYQ7J0REJZBpi5yicMzwNGjYu7bafimrEIQCAiY/RIFjFW11gy5Yv56ql 31wlciYlVWyqduLBm7NH+MCkogtvYcTAUBohKy3v0At7U2fyS6VfwPZail/Q6Cnw ZRSoiSPdOqE9flCYDip7z7r09ElVw1DvuJrZk0pB88OT7lbFaP5tknTVlK5cG2y+ fknSKn1Zl8Sq7aXxeFhK2VbBZKeAPYZMFBe3J3WJ/GmyU/UYrh9F4apdDBz9kK1r 3hX4+P+TLbT0TOFX83HK =eZML -----END PGP SIGNATURE-----