Security Update:Open SSL Vulnerabilities Can Lead to Man-in-the-middle Attack
Date and Time
OpenSSL announced the release of updates to address man-in-the middle attack vulnerabilities.
Advanced Users: For a complete description of the vulnerability visit OpenSSL Security Advisory [05 Jun 2014] at https://www.openssl.org/news/secadv_20140605.txt.
- OpenSSL 0.9.8 SSL/TLS
- OpenSSL 1.0.0 SSL/TLS
- OpenSSL 1.0.1 SSL/TLS
WHAT'S THE PROBLEM?
By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker with a man-in-the-middle vantage point on the network may be able to decrypt or modify traffic between a client and server.
WHAT DO I NEED TO DO?
Update your software
1. If IT Field Services or you have other IT support, no action on your part is required.
2. If you do not have IT support, updates may be obtained through OpenSSL Security Advisory [05 Jun 2014] at https://www.openssl.org/news/secadv_20140605.txt.
- OpenSSL 0.9.8 SSL/TLS users should upgrade to 0.9.8za
- OpenSSL 1.0.0 SSL/TLS users should upgrade to 1.0.0m
- OpenSSL 1.0.1 SSL/TLS users should upgrade to 1.0.1h
- National Vulnerability Database’s Vulnerability Summary for CVE-2014-0224 at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224
- ITS Security & Policy at http://it.ucsf.edu/security