OpenSSL users are being urged to apply patches released overnight by the maintainers of the open source cryptography framework that contain fixes for two high-severity holes.
The open source OpenSSL is used to cryptographically protect sensitive web and email traffic using the transport layer security protocol, underpinning the majority of communications conducted online.
Last night it was revealed a memory corruption bug in the OpenSSL Abstract Syntax Notation One (ASN.1) encoder feature that was fixed in April last year has come back to haunt users when combined with a second, independent bug.
Given the common vulnerabilities and exposures index CVE-2016-2108, the combination bug can be abused to cause memory corruption in applications that use X.509 digital certificates that trigger ASN.1 encoding.
Attackers may be able to remotely cause out-of-bounds memory writes with the bug and execute code on vulnerable servers.
A second "padding oracle attack" bug has also been patched by OpenSSL. CVE-2016-2107 is similarly rated as high severity, and can be used for man-in-the-middle interception attacks that decrypt traffic flowing across a connection.
According to security researcher Thomas Ptacek, the bug is difficult to exploit and will only give up small amounts of data per attack.
He attributed the hole to insufficient understanding of how programming features interact with each other, and said there could be further, similar bugs in the future.
"What's interesting about crypto to me is the prospect that every common crypto flaw has second- and third- order variants that we will not find out about for many years, the same way we've barely now got a grip on the interaction between C integers and buffer counting," Ptacek wrote.
OpenSSL advised users on version 1.0.1 to upgrade to 1.0.1t and those on 1.0.2 to move to 1.0.2h.
Four low-severity bugs are also taken care of with the latest OpenSSL update.
