A new version of OpenSSL, the open-source software widely used to encrypt internet communications using SSL/TLS, is due to be released this Thursday July 9th, patching a “high severity” vulnerability. The developers of OpenSSL posted the following announcement to their message boards at openssl.org –
“The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p. These releases will be made available on 9th July. They will fix a single security defect classified as “high” severity. This defect does not affect the 1.0.0 or 0.9.8 releases.”
According to some speculations this new vulnerability won’t be anything as serious as “Heartbleed” – but classifying the vulnerability as high severity means it can definitely open doors to some serious attacks, such as, remote code execution attacks, denial of service (DOS) attacks, etc. However, it is still not clear what type of vulnerability researchers have discovered and details of the patch have been kept secret in order to avoid security breaches with the exception of stating that the update also takes care of the Logjam (CVE-2015-4000) vulnerability. This is a TLS bug that can be exploited by a MITM allowing an attacker to read and alter encrypted data.
So, a word of advice to all those dealing with OpenSSL projects, “keep an eye on this important update on Thursday July 9th and be prepared to patch the systems as soon as possible”. You owe it to your own security and also to the security of your users.
The promised patch against a high severity bug in Open SSL is out, resolving a certificate forgery risk in many implementations of the crypto protocol.
Versions 1.0.1n and 1.0.2b of OpenSSL need fixing to resolve a bug that created a means for hackers to run crypto attacks that circumvent certificate warnings, as an advisory by OpenSSL explains.
“During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails.An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate.”
This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o