OpenSSL vulnerability feared as “critical” is less serious than expected
The long-awaited OpenSSL bug fixes to fix a critical severity security hole are available now. New OpenSSL patches have reduced the severity of the bug from critical to high.
The Heartbleed bug was a data leak bug in OpenSSL that could be triggered by clients and random internet users against servers almost anywhere.
OpenSSL 1.1.1 is upgraded to version 1.1.1s and fixes one listed security bug, but this bug lacks a security rating or an official CVE number, while OpenSSL 3.0 is upgraded to version 3.0.7 and fixes not one but two CVE-numbered vulnerabilities, both officially described as high severity. While issuing a patch for CVE-2022-3602, a new and similar bug, CVE-2022-3786, was discovered.
Until the release of the patch, the specific vulnerabilities of CVE-2022-37786 and CVE-2022-3602 were largely unknown, but web security analysts and companies indicated that there could be significant problems and maintenance pain. Some Linux distributions, such as Fedora, delayed the release until the patch was available. Meanwhile, these vulnerabilities mainly affect clients, not servers.
Users now need to use OpenSSL 1.1.1s or OpenSSL 3.0.7 to replace whatever version is now in use, as 1.1.1s has received a security patch. 3.0.7 also receives fixes for the two CVE-numbered HIGH severity vulnerabilities. 1.0.2 will continue to be supported and updated, but only for customers who have signed contracts with the team.
According to a blog post by the OpenSSL Security Team, organizations tested and provided feedback in about a week. On some Linux distributions, the 4-byte overflow that was possible in an attack overwrote an adjacent buffer that had not yet been used, preventing a system crash or code execution. The other bug only allowed an attacker to change the length of an overflow, not its content.
The sources for this piece includes an article in ArsTechnica.