OpenSSL Vulnerability

The OpenSSL team has announced a fix to resolve a high severity vulnerability (CVE-2015-1793) which allows certificate forgery. During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. It affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o

OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d

OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

Stable distributions of many Linux flavors are not affected:

RedHat: No Red Hat products are affected by the CVE-2015-1793 flaw. No actions need to be performed to fix or mitigate this issue in any way.

OpenSUSE: The OpenSSL versions shipped in openSUSE 13.1 and 13.2 are not affected. The openSUSE Tumbleweed distribution never received a vulnerable version and was never affected. The next submission into Factory will skip any vulnerable versions.

Ubuntu: Ubuntu versions 12.04LTS, 14.04LTS, 14.10LTS, 15.04 and 15.10 are not affected.

Debian: The stable and old stable versions are not vulnerable. The 'testing' and 'unstable' versions are affected.

Qualys has released QID 38104. Please refer to the knowledge base for more information on this check.