OpenSSL Vulnerability [CVE-2018-0732 & CVE-2018-0737]

Hi,

We have updated OpenSSL to the latest LTS version: 1.0.2 p

The above update includes fix for the following Vulnerabilities:

CVE-2018-0732:
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).

Find more info at: https://nvd.nist.gov/vuln/detail/CVE-2018-0732

CVE-2018-0737:
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).

Find more info at: https://nvd.nist.gov/vuln/detail/CVE-2018-0737

We recommend all users to update OpenSSL, Webserver and related Libraries to protect your server against the above attacks.

Let me know if you have any questions in the comment section.

Regards,
The Webuzo Team