News & Announcements
The Office of Information Security was incredibly proud to be a part of #ucserves. UC Serves is a volunteer opportunity organized especially for University of Cincinnati faculty and staff to give back to the community through meaningful engagement. For more information please visit UC Serves!
OVERVIEW: Multiple vulnerabilities have been discovered in OpenSSL, the most severe of which could result in a bypass of security features. OpenSSL is an open-source implementation of the SSL and TLS protocols used by a number of applications and products. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols which ensure secure communication over the Internet via encryption. Successful exploitation of these vulnerabilities could allow an attacker to bypass certain security measures, cause denial of service conditions, or lead to information disclosure.
UC Information Technology Managers, Please read the below information about the end-of-life support for OpenSSL. If you have any questions or concerns please contact us. email@example.com | (513) 558-4732 _____________________________________________________ BACKGROUND: The OpenSSL Software Foundation has announced that support for OpenSSL versions 1.0.0 and 0.9.8 will end on December 31, 2015. The updates, 1.0.0t and 0.9.8zh, released on December 3, 2015, are expected to be the last released updates. As a result, after December 31, 2015, the OpenSSL Software Foundation will no longer provide security updates or hot fixes for the 1.0.0 or 0.9.8 versions of OpenSSL. OpenSSL is an open source toolkit for implementing the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Failure to properly upgrade these libraries or software components on affected systems in a timely manner may potentially subject the university to a higher level of risk, thus increasing the potential for compromise. _____________________________________________________ RECOMMENDATIONS: Since these libraries will no longer be supported after December 31, 2015, they pose a significant security risk to organizations using them. IT@UC Office of Information Security recommends departments inventory their systems to determine if OpenSSL 1.0.0 or 0.9.8 are still in use. A proper migration plan should be developed to ensure systems are upgraded appropriately. If the system cannot be updated for any reason, please submit a Risk Acceptance Form to the IT@UC Office of Information Security. Additional information on the risk acceptance process can be found here: https://www.uc.edu/infosec/services/riskmgmt.html _____________________________________________________ REFERENCES: https://www.openssl.org/about/releasestrat.html https://www.openssl.org/news/secadv/20151203.txt http://www.csoonline.com/article/3011888/data-protection/no-more-security-fixes-for-older-openssl-branches.html#tk.rss_news
US-CERT National Cyber Awareness System Feed
- Tue Jul 5 2016, 10:50 AM
Original release date: July 05, 2016 Systems Affected All Symantec and Norton branded antivirus products Overview ...
- Mon May 23 2016, 7:38 AM
Original release date: May 23, 2016 | Last revised: June 01, 2016 Systems Affected Windows, OS X, Linux systems, and w...