This patch updates LoadMaster's default OpenSSL libraries to Version 1.1.1n to address the OpenSSL security vulnerability described in CVE-2022-0778. In summary, this exploit leverages an internal OpenSSL bug that can cause an infinite loop to occur when parsing certificates. As a result, parsing a client certificate with an elliptic curve public certificate (or a public certificate with explicit elliptic curve parameters) may trigger the infinite loop and thus a denial of service attack. Further details are in the vulnerability database entry at the link above.

Note that this patch does not update the earlier version of OpenSSL present on LoadMaster (Version 1.0.2) to address CVE-2022-0778. This earlier OpenSSL version is used on LoadMaster only when the Certificates & Security >SSL Options > OpenSSL Version parameter is set to Use older version. If this is set to Use current version (the default value), then OpenSSL 1.1.1 is used.

Fortunately, with OpenSSL 1.0.2, there is no vulnerability to this exploit during the SSL handshake because of the handshake design in OpenSSL 1.0.2. On LoadMaster, the vulnerability can only be exploited by an administrative LoadMaster user who installs a specially crafted certificate and public key, and therefore presents a much lower risk of exposure to this vulnerability. This issue will be addressed in a future release.