OpenSSL Released a New Security Patch for 2 Critical Security Vulnerabilities

Listen to this article

The new patch of OpenSSL is available, so organizations using version 3.0 or later are advised to update their systems. The massively-used open-source encryption library of OpenSSL was expected to receive a patch on 1st November over a critical exposure. The OpenSSL Project efficiently evolves and owns the library without publishing extraordinary details.

The OpenSSL Project is now releasing its second-ever essential security patch to handle the issue. OpenSSL 3.07 is a security-fix release and was scheduled to live on Tuesday afternoon. All organizations using OpenSSL 3.0 or later, must update to prevent hackers from abusing the weakness and damaging systems. The CEO of cybersecurity platform Defense.com, Oliver Pinson-Roxburgh issued a statement.

Pinson-Roxburgh said his platform is now in the calm before the storm. There are still fresh memories among security teams about the disaster a couple of years ago from the Heartbleed SSL susceptibility. OpenSSL is a software library for general-purpose Morse code and safe communication. However, it is essential to most web security and is massively used on web servers and HTTPS websites.

Orca Security Examined the PCs of Various Organizations

The cybersecurity company Orca Security scanned cloud platforms just ahead of 1st November’s patch. The firm examined that 59 PCs of different organizations were running anyhow one server with infected OpenSSL 3.0 or later. Orca discovered that at least 50% of these assets are internet-facing and 58 PCs sustain personally identifiable information.

The CEO of Orca Security, Avi Shua, issued a statement. He advised organizations to make sure that every OpenSSL version 3.0 to 3.6 running asset in their environment is identified. The next phase is to consider which of these assets are exploited that could offer an attack path. So, they must immediately apply the fix to these critical assets.

New Patch to Fix 2 High-Risk Security Flaws

Moreover, the website axios.com reported that developers of a largely used open-source code library released a patch. The new patch can fix 2 new high-risk security flaws existing in its tools. It could enable hackers to remotely execute new code. On Tuesday, OpenSSL Project released information about a security patch for the susceptibilities. One of the security flaws supposedly enables attackers to trigger a denial-of-service attack.

However, this attack would need the authorization of an encryption certificate in an email, so it is difficult to clone. The second security flaw also enables hackers to forward emails containing malicious certificates to damage the system. Most of these security weaknesses were only discovered on OpenSSL’s 3.0.0-3.0.6 versions. Keep in mind that earlier versions weren’t affected by these flaws.

OpenSSL is a Typically Used Code Library

Meanwhile, OpenSSL is a commonly used code library to allow secure communications over the internet. Experts believe it could take a lot of work for attackers and allow them to expose these weaknesses. OpenSSL said in a blog post that it didn’t find any evidence of these issues being exploited. Most organizations haven’t been using the infected versions of OpenSSL since its release in September 2021.

The cloud security firm Wiz said the recent announcement will impact just 1.5% of OpenSSL running assets. Most platforms deploy stack overflow protections to secure against the execution threat of remote code. The OpenSSL Project effectively decreased the security flaw from critical to high. However, today’s security flaw doesn’t appear more critical, than expected.