News & Announcements
UC Information Technology Managers, Please read the below information about the end-of-life support for OpenSSL. If you have any questions or concerns please contact us. firstname.lastname@example.org | (513) 558-4732 _____________________________________________________ BACKGROUND: The OpenSSL Software Foundation has announced that support for OpenSSL versions 1.0.0 and 0.9.8 will end on December 31, 2015. The updates, 1.0.0t and 0.9.8zh, released on December 3, 2015, are expected to be the last released updates. As a result, after December 31, 2015, the OpenSSL Software Foundation will no longer provide security updates or hot fixes for the 1.0.0 or 0.9.8 versions of OpenSSL. OpenSSL is an open source toolkit for implementing the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Failure to properly upgrade these libraries or software components on affected systems in a timely manner may potentially subject the university to a higher level of risk, thus increasing the potential for compromise. _____________________________________________________ RECOMMENDATIONS: Since these libraries will no longer be supported after December 31, 2015, they pose a significant security risk to organizations using them. IT@UC Office of Information Security recommends departments inventory their systems to determine if OpenSSL 1.0.0 or 0.9.8 are still in use. A proper migration plan should be developed to ensure systems are upgraded appropriately. If the system cannot be updated for any reason, please submit a Risk Acceptance Form to the IT@UC Office of Information Security. Additional information on the risk acceptance process can be found here: https://www.uc.edu/infosec/services/riskmgmt.html _____________________________________________________ REFERENCES: https://www.openssl.org/about/releasestrat.html https://www.openssl.org/news/secadv/20151203.txt http://www.csoonline.com/article/3011888/data-protection/no-more-security-fixes-for-older-openssl-branches.html#tk.rss_news
Are you aware that you can sign up for Securing the Human Training and take it on your own? Securing the Human is Computer based security awareness training training for End Users. If you would like to participate, visit our page at uc.edu/infosec and click on Securing the Human under the Awareness tab.
US-CERT National Cyber Awareness System Feed
- Thu Dec 3 2015, 6:40 PM
Original release date: December 03, 2015 Systems Affected Microsoft Windows Overview Dorkbot is a botnet used to s...
- Tue Nov 10 2015, 8:12 PM
Original release date: November 10, 2015 | Last revised: November 13, 2015 Systems Affected Compromised web servers wi...