Can I use the following to mitigate against the latest OpenSSL CVEs (indicated further below):
Security advisory from OpenSSL.org recommended the use of TLS_FALLBACK_SCSV
mechanism to (Apache) web servers, to ensure that SSL 3.0 is used only when necessary
(in legacy apps). This way, attackers can no longer force a protocol downgrade.
edit Apache’s ssl.conf & look for the line containing SSLProtocol and amend it to:
SSLProtocol all -SSLv3 –SSLv2
& issue “service httpd reload”
Latest OpenSSL vulnerabilities.
• CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record.
• CVE-2015-0206 - DTLS memory leak in dtls1_buffer_record.
• CVE-2014-3569 - no-ssl3 configuration sets method to NULL
• CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
• CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client]
• CVE-2015-0205 - DH client certificates accepted without verification [Server]
• CVE-2014-8275 - Certificate fingerprints can be modified
• CVE-2014-3570 - Bignum squaring may produce incorrect results
[ Solution/Workaround ]
System Administrators are to check if their systems are running any vulnerable OpenSSL versions.
If they are vulnerable, GITSIR recommends to evaluate the patch before deploying to production systems.
Please refer to the advisory provided by OpenSSL for more details: