Security Experts:

OpenSSL Preparing Updates to Patch High Severity Vulnerability

OpenSSL versions 1.0.2d and 1.0.1p will be released later this week to address a serious security bug, the OpenSSL Project Team announced on Monday.

According to the developers of the popular open-source toolkit for SSL/TLS, OpenSSL 1.0.2d and 1.0.1p will be released on Thursday, July 9, and they will fix a single high severity vulnerability.

No other details have been made available, except for the fact that the security hole does not affect the 1.0.0 or 0.9.8 releases.

The announcement comes less than a month after OpenSSL versions 1.0.2b, 1.0.1n, 1.0.0s and 0.9.8zg were released to address several moderate and low severity bugs, most of which can be exploited for denial-of-service (DoS) attacks.

The latest versions also patch Logjam (CVE-2015-4000), a TLS bug that can be exploited through man-in-the-middle (MitM) attacks to downgrade connections to 512-bit export-grade cryptography. The vulnerability allows an attacker to read and alter encrypted data.

Researchers often uncover vulnerabilities in OpenSSL. The most widely publicized of them was Heartbleed, a bug that exposed millions of websites to cyberattacks.

Heartbleed represented a wakeup call for the industry and many major organizations pledged support for OpenSSL through the Linux Foundation’s Core Infrastructure Initiative after the existence of the bug came to light.

However, the more than 500,000 lines of code make it difficult to maintain and review OpenSSL, which is why some organizations have started suggesting alternatives.

Amazon announced last week the availability of s2n, a new open source implementation of TLS that consists of only 6,000 lines of code. While it cannot replace OpenSSL completely because it doesn’t provide a general purpose cryptography library, Amazon’s implementation of TLS might make its way to some popular services. Amazon says it will integrate s2n into several of its AWS services over the coming months.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.