New OpenSSL vulnerability (wodSSH / wodSSH.NET)
by g_phanikiran, Thursday, May 05, 2016, 12:40 (3124 days ago)
We have got new vulnerability for OpenSSL:
https://www.openssl.org/news/secadv/20160503.txt
Is wodSSH.NET, WeOnlyDo.Client.FTP affected by this vulnerability? I am using v2.6 and 1.7 versions respectively.
If affected, is there a hotfix or a patch available to overcome this vulnerability?
New OpenSSL vulnerability
by Jasmine, Thursday, May 05, 2016, 13:06 (3124 days ago) @ g_phanikiran
Hi.
wodSSH.NET and wodFtpDLX.NET don't use OpenSSL, so you're not affected.
Kind regards,
Jasmine.
New OpenSSL vulnerability
by Mark, Thursday, May 05, 2016, 22:06 (3124 days ago) @ Jasmine
How about WODCrypt? We use OpenSSL with this component. Will there be an update?
Thanks,
Mark
New OpenSSL vulnerability
by Jasmine, Thursday, May 05, 2016, 22:08 (3124 days ago) @ Mark
Hi Mark.
We're using OpenSSL 1.0.2g in all our products, so is wodCrypt. We're not affected by this vulnerability.
I hope this helps!
Jasmine.
New OpenSSL vulnerability
by Mark, Thursday, May 05, 2016, 23:36 (3124 days ago) @ Jasmine
I believe the below vulnerability affects 1.0.2g.
Thanks,
Mark
CVE-2016-2107 (OpenSSL advisory) [High severity] 3rd May 2016:
A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. Reported by Juraj Somorovsky.
Fixed in OpenSSL 1.0.1t (Affected 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
Fixed in OpenSSL 1.0.2h (Affected 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
New OpenSSL vulnerability
by Jasmine, Sunday, May 08, 2016, 17:32 (3121 days ago) @ Mark
Hi Mark.
Fixed, we've switched to 1.0.2h
Jasmine.
New OpenSSL vulnerability
by Ihor, Tuesday, May 10, 2016, 10:43 (3119 days ago) @ Jasmine
What about WodSSH ActiveX component. We are using version 3.0.0. Is it affected by these vulnerabilities?
New OpenSSL vulnerability
by Jasmine, Tuesday, May 10, 2016, 11:55 (3119 days ago) @ Ihor
Hi Ihor.
We update OpenSSL for each component when it needs to recompile. I have forced wodSSH (and other components) to be recompiled now, so please request update.
Kind regards,
Jasmine.
