"The Sky Is Not Falling: Disclosed OpenSSL Bugs Are Serious but Not Critical"

Security experts have described two highly anticipated vulnerabilities recently patched by the OpenSSL Project team as issues that must be addressed quickly but do not require a drop-everything-else type of emergency response. Version 3.0.7 of the widely used cryptographic library addresses two buffer overflow vulnerabilities found in OpenSSL versions 3.0.0 to 3.0.6. Prior to the disclosure, security experts had warned that one of the issues, initially described as a "critical" Remote Code Execution (RCE) problem, could present a Heartbleed-level problem. However, this does not appear to be the case, as the OpenSSL project team stated in disclosing the flaw that it had decided to downgrade the threat to "high" based on feedback from organizations that had tested and analyzed the bug. The first flaw, tracked as CVE-2022-3602, could enable RCE under certain conditions, prompting some security experts to worry that the flaw could have far-reaching consequences. The second vulnerability, tracked under CVE-2022-3786, which was discovered while working on a fix for the first, could be used to cause Denial-of-Service (DoS) conditions. In order to exploit either of the new flaws, vulnerable servers would need to request client certificate authentication, which is unusual. Furthermore, vulnerable clients would have to connect to a malicious server, which is a common and defendable attack vector. This article continues to discuss the two recently patched OpenSSL bugs.

Dark Reading reports "The Sky Is Not Falling: Disclosed OpenSSL Bugs Are Serious but Not Critical"