Wednesday, July 8, 2015

OpenSSL to Patch Undisclosed High Severity Vulnerability this Thursday

Attention Please! System Administrator and anyone relying on OpenSSL should be prepared to switch to a new version of the open-source crypto library that will be released this Thursday 9th July.

OpenSSL is a widely used open-source software library that provides encrypted Internet connections using SSL/TLS for majority of websites, as well as other secure services.

The new versions of OpenSSL crypto library, versions 1.0.2d and 1.0.1p, address a single security vulnerability classified as "high severity," the OpenSSL Project Team announced on Monday.
There isn't more details about the mystery security vulnerability available yet, except for the fact that the security vulnerability doesn't affect the 1.0.0 or 0.9.8 series.
The announcement of the new variants of OpenSSL was made in the concisest fashion possible to prevent cyber attackers from exploiting the hole before the fix is released to the public.

Some security experts have speculated that this high severity bug could be another Heartbleed or Poodle bug that were considered to be the worst TLS/SSL vulnerabilities still believed to be affecting websites on Internet today.

Heartbleed, discovered in April last year, was a bug in an earlier version of OpenSSL that allowed hackers to read sensitive contents of victims' encrypted data, including credit card details and even steal crypto SSL keys from Internet servers or client software.

Months later, another critical flaw known as POODLE -- Padding Oracle On Downgraded Legacy Encryption -- was unearthed in the decade old but widely used SSL 3.0 cryptographic protocol that allowed attackers to decrypt the contents of encrypted connections.

However, a bunch of high severity vulnerabilities were fixed in March this year, which included denial-of-service (DoS) flaw (CVE-2015-0291) that allowed attackers to crash online services, and FREAK (CVE-2015-0204) that allowed attackers to force clients to use weaker encryption.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.