News Stay informed about the latest enterprise technology news and product updates.

Another serious OpenSSL vulnerability patched

Patched soon after Heartbleed, a new widespread OpenSSL vulnerability could expose potential victims to man-in-the middle attacks.

As organizations around the world assess the ongoing fallout from Heartbleed, the OpenSSL Project has patched several more vulnerabilities in the open source encryption software, including one that could expose victims to man-in-the-middle attacks.

The most severe OpenSSL vulnerability of the bunch, CVE-2014-0195, is present across all client versions of OpenSSL, though only servers running versions 1.0.1 or 1.0.2-beta1 are currently affected. Attacks using the flaw can only be performed if both the client and server are vulnerable, according to the OpenSSL security advisory, but if successful, an attacker would be able to, according to the advisory, "decrypt and modify traffic from the attacked client and server."

Masashi Kikuchi, the researcher credited with reporting the vulnerability, explained in a blog post why the vulnerability had not been discovered previously.

"The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation," said Kikuchi. "If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem."

The advisory urges OpenSSL users to upgrade to one of three patched versions provided, including 0.9.8za, 1.0.0m and 1.0.1h.

All told, the security advisory details seven OpenSSL vulnerabilities. The Heartbleed bug has brought increased attention to the open source encryption software, with a dozen tech giants having committed millions in funding to OpenSSL and similar projects.

Dig Deeper on IPv6 security and network protocols security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.