OpenSSL has announced a ‘Security Advisory’ today related to a severe vulnerability in OpenSSL library (CVE-2015-1793).
According to a report published by Tripwire.com, the issue was first reported by Adam Langley and David Benjamin of Google/BoringSSL, on June 24, 2015. The vulnerability only affects few OpenSSL versions including 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. The vulnerability can be used to compromise any application that verifies certificates including SSL and TLS.
In simple words, this vulnerability can allow an attacker to mask himself as an authentic server, and in turn fool a user into submitting his/her sensitive information.
We at PureVPN want to reassure our users that our services are completely safe and protected against the CVE-2015-1793 OpenSSL vulnerability. As aforementioned, the vulnerability only exists in recent versions of OpenSSL.
As a standard practice, we only employ the most stable and production tested upgrade versions of software and servers, which includes OpenSSL. Another important point to be noted is that not every standard OS release is vulnerable to this threat.
According to the ‘Security Advisory’ published by OpenSSL, users who run a custom system or have a recent version of OpenSSL installed are most vulnerable to this bug. In such a scenario, OpenSSL 1.0.2b/1.0.2c users are urged to upgrade to 1.0.2d, whereas those with OpenSSL 1.0.1n/1.0.1o should upgrade to 1.0.1p.
After the ‘Heartbleed’ fiasco, OpenSSL has made it a point of pre-announcing high-severity security bug fixes. Coincidentally, media isn’t doing any service by hyping these upcoming releases as the ‘Next Heartbleed’. Tim Erlin, Director of Product Management at Tripwire said:
“There’s an interesting cycle with OpenSSL vulnerabilities after Heartbleed. OpenSSL pre-announces a high severity vulnerability, which causes the information security community to start making noise about the ‘next Heartbleed,”
So far, this has not been the case. And, with PureVPN, users don’t have to worry about the threat of the ‘Next Heartbleed’. Your favorite VPN is secure and our first priority is to offer the best solution for complete internet freedom to our users.
* For more information about the bug check out this followup article by The State of Security.