As organizations around the world assess the ongoing fallout from Heartbleed, the OpenSSL Project has patched several more vulnerabilities in the open source encryption software, including one that could expose victims to man-in-the-middle attacks.
The most severe OpenSSL vulnerability of the bunch, CVE-2014-0195, is present across all client versions of OpenSSL, though only servers running versions 1.0.1 or 1.0.2-beta1 are currently affected. Attacks using the flaw can only be performed if both the client and server are vulnerable, according to the OpenSSL security advisory, but if successful, an attacker would be able to, according to the advisory, "decrypt and modify traffic from the attacked client and server."
Masashi Kikuchi, the researcher credited with reporting the vulnerability, explained in a blog post why the vulnerability had not been discovered previously.
"The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation," said Kikuchi. "If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem."
The advisory urges OpenSSL users to upgrade to one of three patched versions provided, including 0.9.8za, 1.0.0m and 1.0.1h.
All told, the security advisory details seven OpenSSL vulnerabilities. The Heartbleed bug has brought increased attention to the open source encryption software, with a dozen tech giants having committed millions in funding to OpenSSL and similar projects.