Security News > 2022 > June > OpenSSL to Release Security Patch for Remote Memory Corruption Vulnerability
The latest version of the OpenSSL library has been discovered as susceptible to a remote memory-corruption vulnerability on select systems.
OpenSSL 1.1.1 as well as OpenSSL forks BoringSSL and LibreSSL are not affected.
OpenSSL is a popular cryptography library that offers an open source implementation of the Transport Layer Security protocol.
Advanced Vector Extensions are extensions to the x86 instruction set architecture for microprocessors from Intel and AMD. "I do not think this is a security vulnerability," Tomáš Mráz of the OpenSSL Foundation said in a GitHub issue thread. "It is just a serious bug making the 3.0.4 release unusable on AVX-512 capable machines."
On the other hand, Alex Gaynor pointed out, "I'm not sure I understand how it's not a security vulnerability. It's a heap buffer overflow that's triggerable by things like RSA signatures, which can easily happen in remote contexts."
Xi Ruoyao, a postgraduate student at Xidian University, chimed in, stating that although "I think we shouldn't mark a bug as 'security vulnerability' unless we have some evidence showing it can be exploited," it's necessary to release version 3.0.5 as soon as possible given the severity of the issue.
News URL
https://thehackernews.com/2022/06/openssh-to-release-security-patch-for.html
Related news
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Setting a security standard: From vulnerability to exposure management (source)
- PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs and Patch Released (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged (source)
- Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- Vanir: Open-source security patch validation for Android (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)