CyberSecurityBoard
Sponsor Register Login

Fixing a Major Security Issue with OpenSSL that Could Lead to Data Theft

OpenSSL, one of the most widely used encryption libraries in the world, has just released three security updates. These updates cover the two current open-source versions that the organisation supports, as well as the Old 1.0.2-version series, which is only available to customers who pay for premium support. The OpenSSL project used to have four-part version identifiers, with the last letter acting as a counter that could support 26 sub-versions. However, this was not enough, so the team decided to adopt the popular X.Y.Z three-number versioning system. There are eight CVE-numbered bug fixes in total, seven of which were caused by memory mismanagement. These include X.400 address type confusion in X.509 GeneralName, use-after-free following BIO new NDEF, NULL dereference during PKCS7 data verification, and read buffer overflows. The most serious bug is the type confusion bug, which can allow an attacker to pass arbitrary pointers to a memcmp() call, enabling them to read memory contents. To ensure that all related tasks take the same amount of time, even the Easy cases must be slowed down. It is important to remember that, for many Linux distros, an operating system update must be installed for the shared libraries used by many applications, as well as updating any applications that bring along their own versions of OpenSSL.

This Cyber News was published on nakedsecurity.sophos.com. Publication date: Thu, 09 Feb 2023 17:41:02 +0000


Cyber News related to Fixing a Major Security Issue with OpenSSL that Could Lead to Data Theft

How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 year ago Aws.amazon.com
25 Best Managed Security Service Providers (MSSP) - 2025 - Pros & Cons: ProsConsStrong threat intelligence & expert SOCs.High pricing for SMBs.24/7 monitoring & rapid incident response.Complex UI and steep learning curve.Flexible, scalable, hybrid deployments.Limited visibility into endpoint ...
8 months ago Cybersecuritynews.com
CVE-2022-1434 - The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being ...
3 years ago
31 Alarming Identity Theft Statistics for 2024 - Identity theft is a prevalent issue that affects millions of people annually. Although the numbers are startling, we've selected the 31 most concerning identity theft statistics to help you understand how to secure your identity. In 2022, the FTC ...
2 years ago Pandasecurity.com
The Latest Identity Theft Methods: Essential Protection Strategies Revealed - Identity theft has evolved far beyond the days of stolen mail and dumpster diving. Today's identity thieves employ sophisticated techniques, including account takeovers and government benefit fraud, making it essential for you to stay vigilant to ...
2 years ago Hackread.com
Unmasking Identity Theft: Detection and Mitigation Strategies - In an increasingly digital world, the threat of identity theft looms large, making it imperative for individuals to be proactive in detecting potential breaches and implementing effective mitigation measures. This article delves into key strategies ...
2 years ago Cybersecurity-insiders.com
Lightship Security and the OpenSSL Corporation Submit OpenSSL 3.5.4 for FIPS 140-3 Validation - Lightship Security and the OpenSSL Corporation have jointly submitted OpenSSL version 3.5.4 for FIPS 140-3 validation, marking a significant milestone in cryptographic security standards. This submission aims to ensure that OpenSSL, a widely used ...
4 months ago Cybersecuritynews.com
OpenSSL Is Hiring - OpenSSL is hiring for a mid level engineer to join our team. We are seeking a Software Engineer to join our team. As a Software Engineer at OpenSSL, you will play a vital role in sustaining and evolving the core cryptography and network protocol ...
1 year ago Openssl.org
Cybersecurity jobs available right now: October 2, 2024 - Help Net Security - As an Applied Cybersecurity Engineer (Center for Securing the Homeland), you will apply interdisciplinary competencies in secure systems architecture and design, security operations, threat actor behavior, risk assessment, and network security to ...
1 year ago Helpnetsecurity.com
Adding OpenSSL Generated Certificates to Your Server: A Comprehensive Guide - Utilizing SSL/TLS certificates to encrypt data transferred between your server and clients is one of the fundamental components of server security. The process of adding OpenSSL-generated certificates to your server will be covered in detail in this ...
2 years ago Feeds.dzone.com
CVE-2021-23841 - The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while ...
2 years ago
Key Breakthroughs from RSA Conference 2025 - Day 1 - Sumo Logic unveiled intelligent security operations with capabilities like detection-as-code (bringing DevSecOps to threat detection), UEBA historical baselining (improving accuracy by learning behavior over time), multiple threat intelligence feeds, ...
10 months ago Cybersecuritynews.com Inception
CVE-2020-1971 - The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they ...
3 years ago
How To Correlate Web Logs And Network Indicators To Track Credential Theft - To effectively detect credential theft, organizations must collect and analyze logs from a variety of sources, including web servers, authentication systems, proxies, DNS servers, endpoint protection platforms, and network monitoring tools. Common ...
10 months ago Cybersecuritynews.com
OpenSSL 3.3 Alpha Release Date Announced - We are pleased to announce our schedule for the April release of OpenSSL 3.3. In accordance with our adoption of biannual time-based releases following the release of OpenSSL 3.2, this will be our first time-based release. An alpha of OpenSSL 3.3 ...
1 year ago Openssl.org
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
2 years ago Microsoft.com
Aim for a modern data security approach - Risk, compliance, governance, and security professionals are finally realizing the importance of subjecting sensitive workloads to robust data governance and protection the moment the data begins traversing the data pipeline. Why current data ...
2 years ago Helpnetsecurity.com
20 Best Endpoint Management Tools - 2025 - What is Good?What Could Be Better?Comprehensive endpoint security against many threats.The user interface may overwhelm some users.Machine learning for real-time threat detection.Integration with existing systems may be complex.A central management ...
11 months ago Cybersecuritynews.com
Localization Mandates, AI Regs to Pose Major Data Challenges in 2024 - Companies should expect to face a trio of trends in 2024 that make data security, protection, and compliance more critical to operations and risk reduction. Increasingly, governments worldwide are creating laws that govern the handling of data within ...
2 years ago Darkreading.com
CVE-2019-1552 - OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / ...
3 years ago
DevSecOps: Shifting Security to the Left - This blog explains how Shifting Security to the Left introduces security in the early stages of the DevOps Lifecycle, thus fixing software bugs proactively. Throughout this process, it feels like security has been left behind a little. 'Shifting ...
2 years ago Feeds.dzone.com
Top 30 Best Penetration Testing Tools - 2025 - The tool supports various protocols and offers advanced filtering and analysis capabilities, making it ideal for diagnosing network issues, investigating security incidents, and understanding complex network interactions during penetration testing. ...
11 months ago Cybersecuritynews.com
CVE-2021-3712 - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the ...
3 years ago
Embracing Security as Code - Everything is smooth until it isn't because we traditionally tend to handle the security stuff at the end of the development lifecycle, which adds cost and time to fix those discovered security issues and causes delays. Over the years, software ...
2 years ago Feeds.dzone.com
New Microsoft Purview features use AI to help secure and govern all your data - More than 90% of organizations use multiple cloud infrastructures, platforms, and services to run their business, adding complexity to securing all data.1Microsoft Purview can help you secure and govern your entire data estate in this complex and ...
2 years ago Microsoft.com

Latest Cyber News


    Cyber Trends (last 7 days)


    Trending Cyber News (last 7 days)