News & Announcements
OVERVIEW: Multiple vulnerabilities have been discovered in OpenSSL, the most severe of which could result in a bypass of security features. OpenSSL is an open-source implementation of the SSL and TLS protocols used by a number of applications and products. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols which ensure secure communication over the Internet via encryption. Successful exploitation of these vulnerabilities could allow an attacker to bypass certain security measures, cause denial of service conditions, or lead to information disclosure.
UC Information Technology Managers, Please read the below information about the end-of-life support for OpenSSL. If you have any questions or concerns please contact us. firstname.lastname@example.org | (513) 558-4732 _____________________________________________________ BACKGROUND: The OpenSSL Software Foundation has announced that support for OpenSSL versions 1.0.0 and 0.9.8 will end on December 31, 2015. The updates, 1.0.0t and 0.9.8zh, released on December 3, 2015, are expected to be the last released updates. As a result, after December 31, 2015, the OpenSSL Software Foundation will no longer provide security updates or hot fixes for the 1.0.0 or 0.9.8 versions of OpenSSL. OpenSSL is an open source toolkit for implementing the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Failure to properly upgrade these libraries or software components on affected systems in a timely manner may potentially subject the university to a higher level of risk, thus increasing the potential for compromise. _____________________________________________________ RECOMMENDATIONS: Since these libraries will no longer be supported after December 31, 2015, they pose a significant security risk to organizations using them. IT@UC Office of Information Security recommends departments inventory their systems to determine if OpenSSL 1.0.0 or 0.9.8 are still in use. A proper migration plan should be developed to ensure systems are upgraded appropriately. If the system cannot be updated for any reason, please submit a Risk Acceptance Form to the IT@UC Office of Information Security. Additional information on the risk acceptance process can be found here: https://www.uc.edu/infosec/services/riskmgmt.html _____________________________________________________ REFERENCES: https://www.openssl.org/about/releasestrat.html https://www.openssl.org/news/secadv/20151203.txt http://www.csoonline.com/article/3011888/data-protection/no-more-security-fixes-for-older-openssl-branches.html#tk.rss_news
Are you aware that you can sign up for Securing the Human Training and take it on your own? Securing the Human is Computer based security awareness training training for End Users. If you would like to participate, visit our page at uc.edu/infosec and click on Securing the Human under the Awareness tab.
US-CERT National Cyber Awareness System Feed
- Thu Apr 14 2016, 3:48 PM
Original release date: April 14, 2016 Systems Affected Microsoft Windows with Apple QuickTime installed Overview A...
- Thu Mar 31 2016, 6:00 PM
Original release date: March 31, 2016 Systems Affected Networked Systems Overview In early 2016, destructive ranso...