—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016

Advisory ID: cisco-sa-20160927-openssl

Revision: 1.0

For Public Release 2016 September 27 22:40 UTC (GMT)

+———————————————————————

Summary
=======

On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as “Critical Severity,” one as “Moderate Severity,” and the other 12 as “Low Severity.”

Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. These vulnerabilities affect the OpenSSL versions that were released to address the vulnerabilities disclosed in the previous advisory. One of the new vulnerabilities was rated as “High Severity” and the other as “Moderate Severity.”

Of the 16 released vulnerabilities:
Fourteen track issues that could result in a denial of service (DoS) condition
One (CVE-2016-2183, aka SWEET32) tracks an implementation of a Birthday attack against Transport Layer Security (TLS) block ciphers that use a 64-bit block size that could result in loss of confidentiality
One (CVE-2016-2178) is a timing side-channel attack that, in specific circumstances, could allow an attacker to derive the private DSA key that belongs to another user or service running on the same system

Five of the 16 vulnerabilities affect exclusively the recently released OpenSSL versions that belong to the 1.1.0 code train, which has not yet been integrated into any Cisco product.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBV+r9R689gD3EAJB5AQIs2g//TXbk+qIT/kKxt/MJOUQLkID2tdWZr8Ls
2vcQm5EI8HKr+qSFih3/jyRl5A4LSZsZjQPIo6IxpGKtFLBleBH89l+4rh5D9Hit
/hpQGgIXt57yUug6vHqZiU/zh65pifVCOqvu2E7Gy6pd530AqLhRjK5IKND4GFaW
M2QPwrM2DYchWBuFIA7/r63HFQneaZqzHfR/wA1hhcvWUkDR9h9DaLbX15vG7CHI
J1rAgywVeLOMN7VjDwadvtNfDECnLYeSP91380oL6dB4zyeO18YoHHHYuFTphRSb
umz2zdU8Ku6QBXnUvJjAW3QtzvPX3scjXOgeJqHMLK+38tPkoHZvQeGRfGNmKDEQ
0fA1xFQLlRtetjKGC0L74IjdUXklvyTuGbn5P5CP+vBTLaWCcc/rqfY67NfNtIqp
SKz+9UtprxAlLN3BKkCSzIiKS3BDokbOEORHCEYEmbYkwUNVp0KEXKgAgNlFO/BS
yaL+CDxxiRdbnFixUcG8/xQj584xwOm/cp1u8otySYfSd70oTMqP11VXh+WB+6hT
zHhSMOvLzpLeM++m121ojARIXbXTQLGziLHaRSi8WH+OuB6rceic0f0HwLlBCRlk
LFxQunW2EawYlJGV5Czld4vdoHBSDGcP8bOg9M4LUtA+sKCGpgrTPombG98mhuut
7i2jUMZa7K8=
=KS16
—–END PGP SIGNATURE—–
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com