Severe Vulnerability Found in OpenSSL
NJCCIC Advisory
Original Release Date: 12/10/2020
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) issued a security update urging administrators to upgrade vulnerable OpenSSL software after a high severity vulnerability was discovered. Tracked as CVE-2020-1971 , the vulnerability originates from a NULL pointer dereferencing issue, which may lead to a denial-of-service condition if exploited. Affected versions include 1.1.1-1.1.1h and 1.0.2-1.0.2w. All OpenSSL versions prior to 1.1.1 are considered end-of-life and will no longer receive updates; therefore, only premium users will be provided with the patched 1.0.2x version. All other users should upgrade to the 1.1.1i version. In 2014, an OpenSSL vulnerability known as Heartbleed was quickly exploited. Though this vulnerability is not as severe, it affects many major organizations’ web servers, and may impact holiday shopping if exploited.
Recommendations
The NJCCIC urges administrators to upgrade vulnerable OpenSSL versions immediately. Additional reporting can be found in the Bleeping Computer article, and further technical details can be found in the OpenSSL Security Advisory.
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.