OpenSSL is the same software that recently hit the headlines for the Heartbleed vulnerability. The 6 software defects (details available here) range in severity and impact and can allow an attacker to create a denial of service condition, or in certain situations remote code execution (for the uninitiated this is basically a very bad thing because attackers can run any code they want to do whatever they want on your computer). Some have been quick to spring on these defects as “another heartbleed”, but while these defects are serious this seems a bit of a stretch. That said, you still need to take note. The announcement, shown below, reveals a myriad of nasty vulnerabilities.
OpenSSL has released fixes for all of these defects and lists the vulnerable versions (and patches). In short if your IT team patch the software all of these risks can be mitigated. Unfortunately, as we’ve learned from Heartbleed (and other instances) many IT organisations are very fast to patch Windows systems but very slow to deal with Linux (or other) systems. This leaves extended periods where surprisingly critical software is not patched and attackers could compromise your systems. null . The vendors of these products show little sign of patching any time soon.
To re-iterate from my previous post, all software has defects and the reporting of such a large group of vulnerabilities is actually reassuring. During the Heartbleed saga we learned that the team responsible for maintaining this crucial code is surprisingly small, underfunded and the code under reviewed. The myriad of researchers names in this release show more firms and researchers getting their eyes on the code and identifying problems. null (and the many that will undoubtedly follow).
Make sure your organisation has a plan to patch these defects to prevent attackers crashing your critical systems or potentially executing malicious code. In particular pay close attention to web servers but any other system that uses SSL to encrypt information including appliances may have the defect too. Follow @jameslyne on Twitter.