1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSL patches two high-severity flaws

Discussion in 'CSO' started by RSS, May 5, 2016.

  1. RSS

    RSS New Member Member

    OpenSSL has released versions 1.0.2h and 1.0.1t of its open source cryptographic library, fixing multiple security vulnerabilities that can lead to traffic being decrypted, denial-of-service attacks, and arbitrary code execution. One of the high-severity vulnerabilities is actually a hybrid of two low-risk bugs and can cause OpenSSL to crash.

    Two seemingly unrelated bugs can be chained together to create a serious security problem. The first bug in CVE-2016-2108 is an issue with the ASN.1 parser that triggers a buffer underflow and performs an out-of-bounds write if zero is represented as a negative value. While the flaw was quietly patched last year, it wasn't considered a security vulnerability because an attacker would not be able to get the parser to create the value. However, there was an unrelated bug where the ASN.1 parser could misinterpret a large universal tag as a negative zero value.

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page