On 15th Oct 2014 the OpenSSL project released 1.0.1j that fixed several security vulnerabilities of high severity or less. Official OpenVPN Windows installers bundle OpenSSL 1.0.1, which meant that the OpenVPN project had to make a new Windows installer release (I004/I604). On *NIX-based operating systems OpenSSL is typically dynamically linked to OpenVPN and the OS provider handles the OpenSSL upgrades.

List of vulnerabilities

Vulnerability nameIDAffects OpenVPN?Mitigation
SRTP Memory LeakCVE-2014-3513Denial-of-service onlyTLS auth can[1] protect against this vulnerability
Session Ticket Memory LeakCVE-2014-3567Denial-of-service onlyTLS auth can[1] protect against this vulnerability
SSL 3.0 Fallback protectionCVE-2014-3568No SSLv3 in OpenVPN, not affected
Build option no-ssl3 is incomplete-No SSLv3 in OpenVPN, not affected

Analysis of the impact of these vulnerabilities is taken from here.

[1] The amount of protection is limited in environments where the TLS auth key is widely distributed (large organizations) or public (VPN service providers).

Last modified 8 years ago Last modified on 10/21/14 07:25:00