OpenSSL Fixes Multiple New Security Flaws with Latest Update

2023-02-09 09:51

The OpenSSL Project has released fixes to address several security flaws, including a high-severity bug in the open source encryption toolkit that could potentially expose users to malicious attacks.

The vulnerability is rooted in the way the popular cryptographic library handles X.509 certificates, and is likely to impact only those applications that have a custom implementation for retrieving a certificate revocation list over a network.

"In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature," OpenSSL said.

"If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon."

Successful exploitation of the above shortcomings could lead to an application crash, disclose memory contents, and even recover plaintext messages sent over a network by taking advantage of a timing-based side-channel in what's a Bleichenbacher-style attack.

The fixes arrive nearly two months after OpenSSL plugged a low-severity flaw that arises when processing an X.509 certificate, resulting in a denial-of-service condition.

News URL

https://thehackernews.com/2023/02/openssl-fixes-multiple-new-security.html

#openssl #security

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Openssl		2	12	92	51	16	171