Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017

On January 26, 2017, the OpenSSL Software Foundation released a security advisory that included three new vulnerabilities. The foundation also released one vulnerability that was already disclosed in the OpenSSL advisory for November 2016 and included in the Cisco Security Advisory Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016 [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161114-openssl”]. OpenSSL classifies all the new vulnerabilities as “Moderate Severity.”

The first vulnerability affects only OpenSSL used on 32-bit systems architecture and may cause OpenSSL to crash. The second vulnerability affects only version 1.1.0 and occurs only when OpenSSL is used on the client side. The second vulnerability may cause OpenSSL to crash when connecting to a malicious server. The third vulnerability affects only systems based on x86_64 architecture. A successful exploit of the third vulnerability could allow the attacker to access sensitive private key information.

Multiple Cisco products incorporate a version of the OpenSSL package that is affected by one or more of these vulnerabilities.

There are no Cisco products affected by the vulnerability identified by CVE ID CVE-2017-3730.

On February 16, 2017, the OpenSSL Software Foundation released another security advisory that included one high severity vulnerability identified by CVE ID CVE-2017-3733.

There are no Cisco products affected by this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170130-openssl [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170130-openssl”]