On Monday, the OpenSSL project team announced new releases that would be available today to fix security issues in OpenSSL that have been discovered as part of a major security audit and code refactoring project. When this announcement hit on Monday, there was a general panic in the IT and security community as it was mentioned vulnerabilities with a high severity were being patched, leading many to believe it could be as severe as Heartbleed.
Luckily it appears the security community has dodged a bullet as the two "high severity" vulnerabilities that were patched are not as severe as Heartbleed. The two high severity vulnerabilities are CVE-2015-0291 and CVE-2015-0204. The CVE-2015-0291 vulnerability impact results in a potential denial of service attack against a server that requests a client's cert, which is not something that would occur in most circumstances as it is usually the client that requests the server's certificate.
The CVE-2015-0204 vulnerability is a reclassification of the existing and well known FREAK vulnerability (CVE-2015-0204 & CVE-2015-1637), rules for detection are already available in Tripwire IP360. Below are the two high severity vulnerability descriptions from the advisory provide by the OpenSSL project:
CVE-2015-0291 - OpenSSL 1.0.2 ClientHello sigalgs DoS Severity: High If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. This issue affects OpenSSL version: 1.0.2 OpenSSL 1.0.2 users should upgrade to 1.0.2a. This issue was was reported to OpenSSL on 26th February 2015 by David Ramos of Stanford University. The fix was developed by Stephen Henson and Matt Caswell of the OpenSSL development team.
CVE-2015-0204 - Reclassified: RSA silently downgrades to EXPORT_RSA [Client] Severity: High This security issue was previously announced by the OpenSSL project and classified as "low" severity. This severity rating has now been changed to "high". This was classified low because it was originally thought that server RSA export ciphersuite support was rare: a client was only vulnerable to a MITM attack against a server which supports an RSA export ciphersuite. Recent studies have shown that RSA export ciphersuites support is far more common. This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. It was previously announced in the OpenSSL security advisory on 8th January 2015.