OpenSSL released patches for latest High Severity Vulnerabilities
OpenSSL team has released the patches (OpenSSL v3.0.7) to remediate multiple high-severity vulnerabilities for which the OpenSSL team warned all users and vendors.
As per the security advisory, OpenSSL team has remediated two high-severity vulnerabilities CVE-2022-3602 and CVE-2022-3786 which are affecting OpenSSL versions between 3.0.0 to 3.0.6. Both these vulnerabilities lead to Buffer overflow attack.
As per the notification by OpenSSL, the CVE-2022-3602 was discovered and reported on 17th October 2022 by Polar Bear. Initially, the CVE was considered as Critical vulnerability however post deep analysis, the team has considered it as High severity vulnerability impacting major vendors. The other vulnerability was discovered by Viktor Dukhovni while researching the CVE-2022-3602. Successful exploitation of these vulnerabilities could lead to a DoS attack (denial of services) or potentially remote code execution(CVE-2022-3602).
As per the advisory, these vulnerabilities have no impact on OpenSSL 1.1.1 and 1.0 and only OpenSSL versions between 3.0.0 to 3.0.6 are vulnerable to these CVEs. OpenSSL has recommended users/vendors to upgrade the OpenSSL version to 3.0.7.
See more: Thomson Reuters exposed TBs of sensitive data over internet
OpenSSL is an open-source library that implements SSL and TLS protocols to securely communicate over the internet. Amazon, Broadcom, CentOS, Dockerhub, Fedora, Intel, Linux Mint, Offensive Security, OpenSUSE, Red Hat, and Tenable are among the top vendors using OpenSSL and are possibly impacted.
See more: Poland and Slovakian parliament rattled by sudden DDoS attack
Open SSL took more than 10 days to release patches however they informed all the vendors to take precautionary steps such as implementing security’s best practices, including patching and updating all systems/servers to the latest versions until the patch is released.
It’s not the first time when critical/high severity vulnerabilities were reported for OpenSSL. In past, there have been many CVEs such as CVE-2022-2274 and CVE-2022-0778 reported and created chaos among the hackers/vendors.
Follow on Facebook: Latest Hacking Updates