Get ready. Mystery high severity bug in OpenSSL to be patched on Thursday

Graham Cluley

OpenSSLA new version of OpenSSL, the open-source software widely used to encrypt internet communications using SSL/TLS, is due to be released this Thursday 9th July, patching a single “high severity” vulnerability.

But if you’re hoping I can shed some light on what the vulnerability is, I’m sorry. I can’t help.

In a mailing list posting, developer Mark J Cox announced the new version of the code in the briefest fashion possible:

OpenSSL announcement

The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p.

These releases will be made available on 9th July. They will fix a single security defect classified as “high” severity. This defect does not affect the 1.0.0 or 0.9.8 releases.

HeartbleedMost infamously, OpenSSL was struck by the Heartbleed bug last year, that (amongst other things) threatened up to 50 million Android devices and helped malicious hackers to steal passwords. Oh, and it also had a neat logo.

Fingers crossed, this new vulnerability in OpenSSL won’t be anything like as serious as Heartbleed – but the grading of it as “high severity” means that it could open the door to various threats: ranging from fairly tame denial-of-service attacks to rather unpleasant remote code execution.

Don’t be too upset that the OpenSSL project is keeping details of the vulnerability under its hat for now. No doubt they will be concerned that any information they share in advance could be exploited in live hacks by malicious hackers.

Being careful about vulnerability disclosure is particularly important when the software is so widely used, and understood to be an essential component required in securing internet transactions.

Nobody enjoys thinking about the risks associated with having a security bug in essential code used by so many internet services – especially before a special patch is ready for mainstream use.

But at least you can be reassured that patches are on their way, and that the OpenSSL team is not resting on its laurels.

So, listen up system administrators and developers. When the update fixing the OpenSSL vulnerability does arrive sometime on Thursday, be sure to patch as soon as possible. You owe it to your own security, but also in order to properly protect the security of your partners and customers.

Further reading:

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

5 Replies to “Get ready. Mystery high severity bug in OpenSSL to be patched on Thursday”

    1. Or bugger.

      There have been far too many CVEs for openssl in recent months:

      $ rpm -q –changelog openssl |egrep -c CVE-201[45]
      42
      (an amusing number except perhaps here, given the context)
      $ rpm -q –changelog openssl |egrep -c CVE-2015
      20
      $ rpm -q –changelog openssl |egrep -c CVE-20[01][0-9]
      68

      Far too many in the past 1.51 years, when you consider 68 total for the past 15 years. Scary when you consider the importance of it (there are also fixes to fixes as well as partial fixes, above, but I don't see counting those as a problem here).

      1. Let's try that again, to get around the way dashes are handled…

        rpm -q --changelog openssl |egrep -c CVE-201[45]
        rpm -q --changelog openssl |egrep -c CVE-2015
        rpm -q --changelog openssl |egrep -c CVE-20[01][0-9]

  1. "Most infamously, OpenSSL was struck by the Heartbleed bug earlier this year"

    Heartbleed was last year although I admit it doesn't feel that long ago ;)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.