Information Exposure Affecting openssl Open this link in a new tab package, versions >=1.0.200, <1.0.211

  • Attack Complexity


  • Confidentiality


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    2 Oct 2019

  • disclosed

    22 Nov 2017

  • credit


How to fix?

Upgrade OpenSSL to version 1.0.211 or higher.


OpenSSL is a SSL/TLS and Crypto toolkit. Deprecated in Mac OS and gone in iOS, this spec gives your project non-deprecated OpenSSL support.

Affected versions of this package are vulnerable to Information Exposure. OpenSSL is vulnerable to an overflow error in AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. This bug can be used to compromise private key information for certain situations and DH1024.

It does affect processors supporting AVX2 but not ADX extensions (e.g., Intel Haswell (4th generation)). This bug cannot be exploited for EC algorithms.