Nov 1, 2022 - Technology

OpenSSL code library patched after high-risk vulnerabilities found

Illustration of three band aids resembling a wifi symbol covering a crack in a wall

Illustration: Annelise Capossela/Axios

The developer of a widely used open-source code library released a patch to resolve two new high-risk security vulnerabilities in its tools that could allow hackers to remotely execute new code or trigger website crashes.

Driving the news: The OpenSSL Project released details about a security patch for the vulnerabilities on Tuesday after teasing their release last week.

  • One of the flaws could potentially allow attackers to trigger a denial of service attack or access the ability to remotely deploy code. However, to be successful, this attack would require validation of an encryption certificate in an email, which is difficult to replicate.
  • The second flaw could also allow attackers to send emails with malicious certificates to cause system crashes.
  • The security flaws are only found on OpenSSL's 3.0.0-3.0.6 versions. Earlier versions are not affected.

Why it matters: OpenSSL is a commonly used code library to enable secure communications across the internet, and the majority of HTTPS websites rely on some version of it.

Threat level: Experts anticipate it would take a lot of work for hackers to be able to exploit these vulnerabilities to allow them to remotely access a network.

  • OpenSSL said in a blog post it has "no evidence of these issues being exploited as of the time of release of this post."
  • The affected versions of OpenSSL are also the least used right now since it was just released in September 2021. Only 1.5% of OpenSSL instances appear to be impacted by today's announcements, according to cloud security firm Wiz.
  • "Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution," OpenSSL said in the advisory.
  • "Exploiting this vulnerability requires quite a bit of set up and a number of factors to fall into place before it could be leveraged," said Victor Wieczorek, vice president of app security, threat and attack simulation at GuidePoint Security.

The intrigue: The OpenSSL Project downgraded the security flaw from "critical" to "high" in the last week after warning programmers to be on alert for a flaw that would rival 2014's "Heartbleed" vulnerability.

  • If today's vulnerability had been defined as "critical," it would have been only the second time OpenSSL had rated a vulnerability as such since Heartbleed, which led to breaches at government agencies, hospital systems and other websites.

What's next: While today's security vulnerability doesn't appear to as high stakes as expected, security professionals are still encouraging companies running OpenSSL to update their systems.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper