OpenSSL contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the Datagram Transport Layer Security (DTLS) implementation will only perform a MAC check if certain padding is valid. This may allow a remote attacker to more easily gain access to potentially sensitive data via a padding oracle attack.

Upgrade to version 0.9.8s or higher or 1.0.0f or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• CVE ID: 2011-4108 (see also: NVD)
• SCIP VulDB ID: 4514
• Secunia Advisory ID: 47426 47528 47601 47607 47673 47748 47752 47925 48238 48528 49402 49592 49670 50476 50736 52019 52292 52543 52694 52869 52892 53615 53643/ 53684 53720
• Bugtraq ID: 51281
• CERT VU: 737740
• Related OSVDB ID: 78187 78188 78189 78190 78191
• Vendor Specific Advisory URL: http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03383940
  http://openssl.org/news/secadv_20120104.txt
  http://support.apple.com/kb/HT5784
  http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_sterling_connect_enterprise_for_unix_is_affected_by_multiple_vulnerabilities_in_openssl12
  http://www.vmware.com/security/advisories/VMSA-2012-0013.html
  https://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_infosphere_balanced_warehouse_c3000_c4000_and_d5100_and_ibm_smart_analytics_system_1050_2050_5600_and_5710_are_affected_by_vulnerabilities_in_openssl16
• Vendor Specific News/Changelog Entry: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03141193
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03315912
  http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03383940
  http://lists.opensuse.org/opensuse-updates/2012-01/msg00029.html
  http://lists.opensuse.org/opensuse-updates/2013-02/msg00069.html
  http://www-01.ibm.com/support/docview.wss?uid=isg400001529
  http://www-01.ibm.com/support/docview.wss?uid=isg400001530
  http://www-01.ibm.com/support/docview.wss?uid=swg21637929
  http://www-01.ibm.com/support/docview.wss?uid=swg21638670
  http://www.debian.org/security/2012/dsa-2390
  http://www.gentoo.org/security/en/glsa/glsa-201203-12.xml
  http://www.ibm.com/support/docview.wss?uid=nas12088ececb530423186257b410072035e
  http://www.ibm.com/support/docview.wss?uid=swg21627934
  http://www.ibm.com/support/docview.wss?uid=swg21633107
  http://www.ubuntu.com/usn/usn-1357-1/
  https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_tivoli_netcool_system_service_monitors_application_service_monitors_is_affected_by_multiple_openssl_vulnerabilities?lang=en_us
  https://www.ibm.com/support/docview.wss?uid=swg21619837
• Mail List Post: http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00017.html
  http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00018.html
  http://prod.lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
  http://seclists.org/bugtraq/2012/Jan/151
  http://seclists.org/bugtraq/2012/Jun/170
• Vendor URL: http://openssl.org/
• Packet Storm: http://packetstormsecurity.com/files/121573/HP-Security-Bulletin-HPSBMU02786-SSRT100877-2.html
  http://packetstormsecurity.org/files/113582/HP-Security-Bulletin-HPSBMU02776-SSRT100852.html
• Other Advisory URL: http://www.isg.rhul.ac.uk/~kp/dtls.pdf
  http://www.mandriva.com/security/advisories?name=MDVSA-2012:006
  http://www.mandriva.com/security/advisories?name=MDVSA-2012:007
• RedHat RHSA: RHSA-2012:0059 RHSA-2012:0060 RHSA-2012:1306 RHSA-2012:1307 RHSA-2012:1308

• Nadhem Alfardan - Information Security Group at Royal Holloway, University of London
• Kenny Paterson - Information Security Group at Royal Holloway, University of London