OpenSSL releases seven patches for seven vulns
Flood of fixes to clear LogJam flaw
Users are being urged to upgrade OpenSSL to prevent eavesdroppers listening to otherwise encrypted connections undermined through the LogJam vulnerability thought to be the NSA's crypto-cracking tool of choice.
OpenSSL maintainers have patched seven vulnerabilities including the LogJam vulnerability (CVE-2015-4000) which allows attackers to trick browsers into considering an insecure encrypted connection as secure.
"A vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography," OpenSSL maintainers wrote in an advisory.
"OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. This limit will be increased to 1024 bits in a future release."
Users should upgrade OpenSSL 1.0.2 to 1.0.2b and 1.0.1 to 1.0.1n.
LogJam was found as part of the investigation into the FREAK vulnerability which allows secure TLS connections to be downgraded to use weak export-quality encryption.
LogJam cloaks this process.
Some 20,000 websites are exposed to the flaw where attackers can using the same network as victims target some 575 cloud services to man-in-the-middle attacks, according to Skyhigh Networks statistics.
The research reveals the average company uses 71 potentially vulnerable cloud services. ®