News from 2016-05-19
Meinberg Security Advisory: [MBGSA-1603] OpenSSL
The OpenSSL project published a security advisory on May 3rd, 2016 describing multiple vulnerabilities affecting OpenSSL 1.0.2g and older versions. LANTIME Firmware Version 6.18.017 therefore updates the OpenSSL version to 1.0.2h, the current stable version as recommended by the OpenSSL project.
CVE-IDs:
OPENSSL:
see OpenSSL Security Announcement
1. Description of the Problem
The version of the openssl libraries and binaries installed on LANTIME firmware appliances contains several security vulnerabilities as described in the official OpenSSL Security advisory.Meinberg therefore recommends to update your LANTIME devices as soon as possible by installing LTOS 6.18.017 (a download link can be requested below).
2. Affected Systems
All LANTIME Firmware Versions before V6.18.017 are theoretically affected by these vulnerabilities.
3. Possible Defense Strategies
Meinberg Products
The fixes for the OpenSSL vulnerabilites are included in 6.18.017 which is available as of today.
Meinberg LANTIME Firmware Updates
For V5 versions and all V6 versions we strongly recommend to update to 6.18.017 as soon as possible. Please contact your Meinberg support for assistance or in case of questions.Other OpenSSL Installations
Please contact your OS vendor to find out how to protect your systems and how to update to OpenSSL 1.0.2h, if possible.
4. Additional Information Sources
More about this topic can be found on the following websites:
ARS Technical News Article covering the OpenSSL vulnerabilities
OpenSSL Security Advisory May 3rd
Infoworld News Article about the security vulnerabilities found
Please do not hesitate to reach out to your Meinberg support contact if you need further assistance or have additional questions.