ClickCease OpenSSL "critical" vulnerability is less serious than expected

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

OpenSSL vulnerability feared as “critical” is less serious than expected

November 18, 2022 - TuxCare PR Team

The long-awaited OpenSSL bug fixes to fix a critical severity security hole are available now. New OpenSSL patches have reduced the severity of the bug from critical to high.

The Heartbleed bug was a data leak bug in OpenSSL that could be triggered by clients and random internet users against servers almost anywhere.

OpenSSL 1.1.1 is upgraded to version 1.1.1s and fixes one listed security bug, but this bug lacks a security rating or an official CVE number, while OpenSSL 3.0 is upgraded to version 3.0.7 and fixes not one but two CVE-numbered vulnerabilities, both officially described as high severity. While issuing a patch for CVE-2022-3602, a new and similar bug, CVE-2022-3786, was discovered.

Until the release of the patch, the specific vulnerabilities of CVE-2022-37786 and CVE-2022-3602 were largely unknown, but web security analysts and companies indicated that there could be significant problems and maintenance pain. Some Linux distributions, such as Fedora, delayed the release until the patch was available. Meanwhile, these vulnerabilities mainly affect clients, not servers.

Users now need to use OpenSSL 1.1.1s or OpenSSL 3.0.7 to replace whatever version is now in use, as 1.1.1s has received a security patch. 3.0.7 also receives fixes for the two CVE-numbered HIGH severity vulnerabilities.  1.0.2 will continue to be supported and updated, but only for customers who have signed contracts with the team.

According to a blog post by the OpenSSL Security Team, organizations tested and provided feedback in about a week. On some Linux distributions, the 4-byte overflow that was possible in an attack overwrote an adjacent buffer that had not yet been used, preventing a system crash or code execution. The other bug only allowed an attacker to change the length of an overflow, not its content.

The sources for this piece includes an article in ArsTechnica.

OpenSSL vulnerability feared as "critical" is less serious than expected
Article Name
OpenSSL vulnerability feared as "critical" is less serious than expected
New OpenSSL patches have reduced the severity of the long-awaited OpenSSL bug from critical to high allaying initial fears.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter