And another OpenSSL security vulnerability

Third times a charm…

Or so they say.

The OpenSource encryption library OpenSSL had its third “major” security vulnerability, which was fixed with a patch available as of November 1, 2022. As per CVE-2022-3786 and CVE-2022-3602 the security vulnerability constitute X.509 email address buffer overflows.

8 years ago it was Heartbleed. This security vulnerability was found and fixed in April 2014. It had been introduced, however, more than 2 years prior on 31 of December 2011 shortly before midnight. The story behind that vulnerability is worthy of a limited TV show.

In spring 2016, researchers found OpenSSL to be vulnerable to a Padding-Oracle attack, which could take an entire system down.

Whether it is only 3 major security vulnerabilities, depends on how you count and what you count as severe or critical. OpenSSL had many vulnerabilities, which were either fixed or there was a mitigation.

The good news is that the OpenSSL developer community is quick to provide fixes and/or analyse the security vulnerability to suggest a mitigation at least.

What was different this time, however, was that the security vulnerability was announced with the fix due in 5 days from its announcement. And the date for releasing the fix, Nov 1, 2022, was a Catholic Holiday in many countries.

How interesting…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.