Security News > 2022 > November > OpenSSL downgrades horror bug after week of panic, hype

OpenSSL today issued a fix for a critical-turned-high-severity vulnerability that project maintainers warned about last week.

It's not every day we're warned of a critical flaw in OpenSSL - an important software library typically used by various apps and servers to encrypt data over networks and the internet - and so infosec vendors and blogs and influencers couldn't help but hype it up, promising live feeds of pain and misery when details of the holes are revealed.

A key reason why the bug was initially labeled critical was that the OpenSSL team can't guarantee people's systems have the necessary protections in place to thwart the buffer overflow exploitation in this case, and so erred on the side of caution.

There's a second high-severity vulnerability, CVE-2022-3786, that OpenSSL fixed in version 3.0.7.

While neither vulnerability should inspire Heartbleed-level panic, Tenable senior research engineer Clair Tills told The Register there are lessons to be learned from "Pre-announcement and rampant nail biting" up to the OpenSSL release, which "Revealed a couple of high severity flaws that are not easy to exploit and only affect a small subset of OpenSSL implementations."

To answer those questions, upgrade to the fixed OpenSSL version, if you're using OpenSSL 3 - and then go have a drink to celebrate that this wasn't as bad as we all feared.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/11/01/openssl_downgrades_bugs/