OpenSSL security patches created critical vulnerability

By

Fix for low severity issue turns problematic.

Last week's set of security patches for the popular open source crypto library OpenSSL created a new critical vulnerability requiring an emergency fix.

OpenSSL security patches created critical vulnerability

The vulnerability only affects version 1.1.0.a. The OpenSSL security team said it was caused by a patch to fix the CVE-2016-6307 large message sizes bug, which was rated as low severity.

Robert Swiecki of Google's security team discovered that the fix for CVE-2016-6307 left a dangling pointer in the code, which references the wrong memory location and creates a critical security vulnerability.

This results in an attempt at writing to a previously freed memory location and is likely to lead to OpenSSL crashing, potentially allowing for the execution of arbitrary code by malicious actors.

A second coding mistake in last week's patches saw a Certificate Revocation List sanity check being omitted in OpenSSL version 1.0.2i. Using CRLs will crash OpenSSL 1.0.2i with a null pointer exception, creating a vulnerability rated as moderate.

The OpenSSL project said users with version 1.1.0 of the crypto library should upgrade to 1.1.0b, and users with version 1.0.2i should upgrade to 1.0.2j.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

WestJet probes cyber security incident

WestJet probes cyber security incident

Log In

  |  Forgot your password?