The OpenSSL Project is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a general purpose cryptography library and contains the following vulnerability:
Allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet, An attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.
Affected Versions: OpenSSL 1.0.2 prior to OpenSSL 1.0.2h OpenSSL 1.0.1 prior to OpenSSL 1.0.1t
Solution: Affected users should upgrade OpenSSL.
Check existing version of OpenSSL using this command:
# openssl version -a
Steps to upgrade OpenSSL version:
1. wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
2. tar -xvf openssl-1.0.2j.tar.gz
3. cd openssl-1.0.2j/
4. ./config –prefix=/usr/
5. sudo apt-get install make.
6. sudo apt-get install gcc.
8. make install.
9. Now run openssl version -a again to check the version.