Security News > 2022 > July > OpenSSL fixes two “one-liner” crypto bugs – what you need to know

OpenSSL fixes two “one-liner” crypto bugs – what you need to know
2022-07-06 18:52

Heartbleed can probably be considered a prime early example of what Naked Security jokingly refer to as the BWAIN process, short for Bug With An Impressive Name.

We don't think these latest bugs reach that level of exploitability or immediate danger.

Notably, as the OpenSSL team points out, "OpenSSL does not support OCB based cipher suites for TLS and DTLS," so the network security of SSL/TLS connections is unaffected by this bug.

OpenSSL version 3.0 is affected by both of these bugs, and gets an update from 3.0.4 to 3.0.5.

OpenSSL version 1.1.1 is affected by the AES-OCB plaintext leakage bug, and gets an update from 1.1.1p to 1.1.1q. Of the two bugs, the modular exponentiation bug is the more severe.

If you are using OpenSSL 3 and you genuinely can't upgrade your source code, but you can recompile the source you're already using, then one possible workaround is to rebuild your current OpenSSL using the no-asm configuration setting.


News URL

https://nakedsecurity.sophos.com/2022/07/06/openssl-fixes-two-one-liner-crypto-bugs-what-you-need-to-know/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Openssl 2 12 92 51 16 171