Problem

CVE-2015-0209 is a vulnerability in OpenSSL:

-----------

A malformed EC private key file consumed via the d2i_ECPrivateKey function could
cause a use after free condition. This, in turn, could cause a double
free in several private key parsing functions (such as d2i_PrivateKey
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
for applications that receive EC private keys from untrusted
sources. This scenario is considered rare.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

-----------

Is Gateway vulnerable to this attack?

Resolution

Gateway 6.14.1 and 6.15.0 use OpenSSL 0.9.8e. However, they do not use the d2i_ECPrivateKey function to read in keys, and therefore are not vulnerable.