New OpenSSL vulnerability - WeOnlyDo Discussion board

New OpenSSL vulnerability (wodSSH / wodSSH.NET)

by g_phanikiran, Thursday, May 05, 2016, 12:40 (564 days ago)

We have got new vulnerability for OpenSSL:

https://www.openssl.org/news/secadv/20160503.txt

Is wodSSH.NET, WeOnlyDo.Client.FTP affected by this vulnerability? I am using v2.6 and 1.7 versions respectively.
If affected, is there a hotfix or a patch available to overcome this vulnerability?

New OpenSSL vulnerability

by Jasmine, Thursday, May 05, 2016, 13:06 (564 days ago) @ g_phanikiran

Hi.

wodSSH.NET and wodFtpDLX.NET don't use OpenSSL, so you're not affected.

Kind regards,
Jasmine.

New OpenSSL vulnerability

by Mark, Thursday, May 05, 2016, 22:06 (563 days ago) @ Jasmine

How about WODCrypt? We use OpenSSL with this component. Will there be an update?

Thanks,
Mark

New OpenSSL vulnerability

by Jasmine, Thursday, May 05, 2016, 22:08 (563 days ago) @ Mark

Hi Mark.

We're using OpenSSL 1.0.2g in all our products, so is wodCrypt. We're not affected by this vulnerability.

I hope this helps!
Jasmine.

New OpenSSL vulnerability

by Mark, Thursday, May 05, 2016, 23:36 (563 days ago) @ Jasmine

I believe the below vulnerability affects 1.0.2g.

Thanks,
Mark


CVE-2016-2107 (OpenSSL advisory) [High severity] 3rd May 2016:

A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. Reported by Juraj Somorovsky.
Fixed in OpenSSL 1.0.1t (Affected 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
Fixed in OpenSSL 1.0.2h (Affected 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

New OpenSSL vulnerability

by Jasmine, Sunday, May 08, 2016, 17:32 (560 days ago) @ Mark

Hi Mark.

Fixed, we've switched to 1.0.2h

Jasmine.

New OpenSSL vulnerability

by Ihor, Tuesday, May 10, 2016, 10:43 (559 days ago) @ Jasmine

What about WodSSH ActiveX component. We are using version 3.0.0. Is it affected by these vulnerabilities?

New OpenSSL vulnerability

by Jasmine, Tuesday, May 10, 2016, 11:55 (559 days ago) @ Ihor

Hi Ihor.

We update OpenSSL for each component when it needs to recompile. I have forced wodSSH (and other components) to be recompiled now, so please request update.

Kind regards,
Jasmine.