OpenSSL Project Announced the OpenSSL 1.1.1l Patches a High-Severity Vulnerability

OpenSSL Vulnerability

The OpenSSL Project released OpenSSL 1.1.1l on Tuesday, which fixes a high-severity vulnerability that might allow an attacker to change an application’s behaviour or force it to crash.

The bug, which has been assigned the number CVE-2021-3711, is a buffer overflow linked to SM2 decryption.

“A malicious attacker who is able to offer SM2 content for decryption to an application could cause attacker-chosen data to overrun the buffer by up to 62 bytes, thereby changing application behaviour or causing the programme to crash. The buffer’s location is application-dependent, but it’s usually heap allocated,” according to an advisory from the OpenSSL Project.

The changes an attacker could make, according to Matt Caswell of the OpenSSL Project, depend on the targeted programme and the type of data it holds in the heap immediately after the overrun buffer.

“Consider each type of data that an application might store in memory (e.g., financials, credentials, etc.) and consider what might happen if an attacker could change it,” he said.

The security flaw, discovered by John Ouyang, affects OpenSSL versions prior to 1.1.1.

Users of OpenSSL should also be aware of CVE-2021-3712, a medium-severity flaw that can be used to cause denial-of-service (DoS) attacks and perhaps expose private memory contents, such as private keys. With the release of versions 1.1.1j and 1.0.2za, this issue has been resolved.

SEE ALSO:
October 2019 Office Security Updates Issued by Microsoft

This year, five more OpenSSL flaws were discovered, including two that were categorised as being of severe severity. Only three weaknesses in OpenSSL were discovered in 2020.

Since the Heartbleed vulnerability was revealed in 2014, the open source TLS library has improved significantly in terms of security, with only a few high-severity problems being discovered in recent years.

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post
Hacker

AT&T Systems Breached – 70 Million Customers Data Is Under Risk

Next Post
VPN Access vs Remote Desktop Access

VPN Access vs Remote Desktop Access

Related Posts