XaiJu
dtns
dtns

patreon


OpenSSL Patches Vulnerabilities - ThreatWire

Added 2022-11-09 17:31:53 +0000 UTC

By Shannon Morse 

Two major vulnerabilities in OpenSSL have been patched after they were initially discovered and reported by the Polar Bear cybersecurity group and an independent security researcher. The first of these, CVE-2022-3602, was reported privately by Polar Bear during an audit they did of OpenSSL code. After this, Viktor Dukhovni found a second problem, CVE-2022-3786. The disclosures started on Oct 17th, and the problems were patched on November 1.

OpenSSL is used to encrypt HTTPS and communications via the OpenSSL cryptographic library. This is used for SSL and TLS protocols as an open source way to secure data via those pathways. It’s incredibly popular and widely used, so a vulnerability in OpenSSL is important to patch quickly.

Both flaws affect OpenSSL version 3.0.0 or later, but are patched in OpenSSL 3.0.7, and the OpenSSL team has not seen any working exploits, nor any evidence they were used in the wild. The first flaw was originally listed as critical, but it was downgraded to high severity because modern platforms can protect from its use in attacks. Its a stack buffer overflow vulnerability, which triggers crashes or can allow an attacker to hit a machine with remote code execution attacks.

The other issue is also a buffer overflow, which could be exploited with a malicious email address to trigger a denial of service.

The reason why the first flaw was downgraded in severity is because OpenSSL 3.0 and later aren’t widely used, due to OpenSSL 1.1.1 still in long term support until Sept of 2023, so plenty of servers and end user client devices haven’t been updated to the vulnerable version. The downgrade was also due to ease of attack, with an actual crash of a system or an RCE being somewhat difficult to obtain by an attacker.

While that’s the case, OpenSSL V 3.0 is included with several operating systems and Linux Distros, including Ubuntu, CentOS, Kali, Debian, and Fedora. The advice of the OpenSSL team is to upgrade deployments to 3.0.7 as soon as possible.

LINKS:

https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

https://www.bleepingcomputer.com/news/security/openssl-fixes-two-high-severity-vulnerabilities-what-you-need-to-know/

https://thehackernews.com/2022/11/just-in-openssl-releases-patch-for-2.html

https://arstechnica.com/information-technology/2022/11/openssl-3-patch-once-critical-but-now-just-high-fixes-buffer-overflow/


More Creators

Zet

Zet

 patreon
A. F. Kay

A. F. Kay

 patreon
VaMateurs

VaMateurs

 patreon
eimoji55

eimoji55

 gumroad
VNDRSCALE

VNDRSCALE

 gumroad
JONJON

JONJON

 patreon
ictonica

ictonica

 patreon
Buzzare

Buzzare

 patreon
Aliessa

Aliessa

 patreon
doyou-wanto

doyou-wanto

 fanbox
Goddess A ✨

Goddess A ✨

 patreon
HBeatsArt

HBeatsArt

 gumroad
サラ

サラ

 fanbox
YomiNinja

YomiNinja

 patreon
lovenuts

lovenuts

 patreon
れっぷたいる

れっぷたいる

 fanbox
BLUSHBRUSH

BLUSHBRUSH

 patreon
MistressJoi

MistressJoi

 patreon
Windlion

Windlion

 patreon
Fight Is On

Fight Is On

 patreon
choirbox!

choirbox!

 patreon
drai@NovelAI

drai@NovelAI

 fanbox
KevBCG

KevBCG

 gumroad
Chris Zurbrigg

Chris Zurbrigg

 gumroad
hamsterzz

hamsterzz

 patreon
VinovellaGames

VinovellaGames

 patreon
Nes

Nes

 patreon
Low End University

Low End University

 patreon
Kat attack

Kat attack

patreon
azraelsanti

azraelsanti

 patreon
Mobius Rose

Mobius Rose

 gumroad
AnotherPunisher

AnotherPunisher

 patreon
누리 누리

누리 누리

 patreon
tsinji

tsinji

 gumroad
DH Arts

DH Arts

 patreon
leiji

leiji

 fanbox
3d_virt

3d_virt

 patreon
pch_82

pch_82

 patreon
yuzu-modoki

yuzu-modoki

 fanbox
おにび

おにび

 fanbox