OpenSSL security patches created critical vulnerability

By on
OpenSSL security patches created critical vulnerability

Fix for low severity issue turns problematic.

Last week's set of security patches for the popular open source crypto library OpenSSL created a new critical vulnerability requiring an emergency fix.

The vulnerability only affects version 1.1.0.a. The OpenSSL security team said it was caused by a patch to fix the CVE-2016-6307 large message sizes bug, which was rated as low severity.

Robert Swiecki of Google's security team discovered that the fix for CVE-2016-6307 left a dangling pointer in the code, which references the wrong memory location and creates a critical security vulnerability.

This results in an attempt at writing to a previously freed memory location and is likely to lead to OpenSSL crashing, potentially allowing for the execution of arbitrary code by malicious actors.

A second coding mistake in last week's patches saw a Certificate Revocation List sanity check being omitted in OpenSSL version 1.0.2i. Using CRLs will crash OpenSSL 1.0.2i with a null pointer exception, creating a vulnerability rated as moderate.

The OpenSSL project said users with version 1.1.0 of the crypto library should upgrade to 1.1.0b, and users with version 1.0.2i should upgrade to 1.0.2j.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?