Security News > 2022 > June > OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw

OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw
2022-06-27 23:30

The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512.

OpenSSL 3.0.4 "Is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken.

We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

So they include OpenSSL 3.0.3, with its command injection flaw.

In the GitHub Issues thread discussing the bug, Tomáš Mráz, software developer at the OpenSSL Foundation, argues the bug shouldn't be classified as a security vulnerability.

Xi Ruoyao, a PhD student at Xidian University, also said he disagreed with the policy of calling every heap buffer overflow a security flaw.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/06/27/openssl_304_memory_corruption_bug/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Openssl 1 7 48 51 13 119