Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
Follow Us on Social
The long-awaited OpenSSL bug fixes to fix a critical severity security hole are available now. New OpenSSL patches have reduced the severity of the bug from critical to high.
The Heartbleed bug was a data leak bug in OpenSSL that could be triggered by clients and random internet users against servers almost anywhere.
OpenSSL 1.1.1 is upgraded to version 1.1.1s and fixes one listed security bug, but this bug lacks a security rating or an official CVE number, while OpenSSL 3.0 is upgraded to version 3.0.7 and fixes not one but two CVE-numbered vulnerabilities, both officially described as high severity. While issuing a patch for CVE-2022-3602, a new and similar bug, CVE-2022-3786, was discovered.
Until the release of the patch, the specific vulnerabilities of CVE-2022-37786 and CVE-2022-3602 were largely unknown, but web security analysts and companies indicated that there could be significant problems and maintenance pain. Some Linux distributions, such as Fedora, delayed the release until the patch was available. Meanwhile, these vulnerabilities mainly affect clients, not servers.
Users now need to use OpenSSL 1.1.1s or OpenSSL 3.0.7 to replace whatever version is now in use, as 1.1.1s has received a security patch. 3.0.7 also receives fixes for the two CVE-numbered HIGH severity vulnerabilities. 1.0.2 will continue to be supported and updated, but only for customers who have signed contracts with the team.
According to a blog post by the OpenSSL Security Team, organizations tested and provided feedback in about a week. On some Linux distributions, the 4-byte overflow that was possible in an attack overwrote an adjacent buffer that had not yet been used, preventing a system crash or code execution. The other bug only allowed an attacker to change the length of an overflow, not its content.
The sources for this piece includes an article in ArsTechnica.
TALK TO A CYBERSECURITY EXPERT
Stay updated with the latest news and announcements from TuxCare.com
ESET researchers discovered an ongoing campaign by the Bahamut APT...
A memory leak bug on Local Security Authority Subsystem Service...
After discovering malicious behaviors in 1,652 of 250,000 unverified Linux...
Despite fixes released by the chipmaker, a set of five...
The APT group DefrayX has launched a new version of...
DuckDuckGo, a privacy-focused search engine, has added an App Tracking...