Skip to main content

News & Announcements

OpenSSL versions 1.0.0 and 0.9.8 end-of-life

UC Information Technology Managers, Please read the below information about the end-of-life support for OpenSSL. If you have any questions or concerns please contact us. abuse@uc.edu | (513) 558-4732 _____________________________________________________ BACKGROUND: The OpenSSL Software Foundation has announced that support for OpenSSL versions 1.0.0 and 0.9.8 will end on December 31, 2015. The updates, 1.0.0t and 0.9.8zh, released on December 3, 2015, are expected to be the last released updates. As a result, after December 31, 2015, the OpenSSL Software Foundation will no longer provide security updates or hot fixes for the 1.0.0 or 0.9.8 versions of OpenSSL. OpenSSL is an open source toolkit for implementing the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Failure to properly upgrade these libraries or software components on affected systems in a timely manner may potentially subject the university to a higher level of risk, thus increasing the potential for compromise. _____________________________________________________ RECOMMENDATIONS: Since these libraries will no longer be supported after December 31, 2015, they pose a significant security risk to organizations using them. IT@UC Office of Information Security recommends departments inventory their systems to determine if OpenSSL 1.0.0 or 0.9.8 are still in use. A proper migration plan should be developed to ensure systems are upgraded appropriately. If the system cannot be updated for any reason, please submit a Risk Acceptance Form to the IT@UC Office of Information Security. Additional information on the risk acceptance process can be found here: https://www.uc.edu/infosec/services/riskmgmt.html _____________________________________________________ REFERENCES: https://www.openssl.org/about/releasestrat.html https://www.openssl.org/news/secadv/20151203.txt http://www.csoonline.com/article/3011888/data-protection/no-more-security-fixes-for-older-openssl-branches.html#tk.rss_news

US-CERT National Cyber Awareness System Feed