After the sensational vulnerability in OpenSSL: Heartbleed, another critical vulnerability was found on May 5, 2014 and received sequence number CVE-2014-0224 (OpenSSL CCS Injection). CVE-2014-0224 is informally called
Heartbleed 2. It affects major web sites, products, and software solutions that use OpenSSL.
An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-Middle (MitM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
- OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
- OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
- OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
Specialists of ERPScan strongly recommend that companies using SAP products such as: Relay Server Outbound, SAP Community Network, Mobilink Server, SQL Anywhere Server, SAP Netweaver, and SAP HANA should check their OpenSSL version and update it if necessary to secure their infrastructure.
Script for testing your OpenSSL is available at tripwire.com.