Security News > 2022 > November > OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service and remote code execution.

It's worth noting that the commonly deployed OpenSSL 1.x versions are not vulnerable.

Per data shared by Censys, about 7,062 hosts are said to run a susceptible version of OpenSSL as of October 30, 2022, with a majority of those located in the U.S., Germany, Japan, China, Czechia, the U.K., France, Russia, Canada, and the Netherlands.

The OpenSSL Project further noted the bugs were introduced in OpenSSL 3.0.0 as part of punycode decoding functionality that's currently used for processing email address name constraints in X.509 certificates.

Despite the change in severity, OpenSSL said it considers "These issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible."

The OpenSSL software toolkit was most notably impacted by Heartbleed, a serious memory handling issue in the implementation of the TLS/DTLS heartbeat extension, enabling attackers to read portions of a target server's memory.

News URL

https://thehackernews.com/2022/11/just-in-openssl-releases-patch-for-2.html