Fixing Security Issues with the Latest OpenSSL Update

The OpenSSL Project has released updates to address a number of security issues, including a high-severity bug in the open source encryption toolkit that could potentially leave users vulnerable to malicious attacks. This bug, referred to as CVE-2023-0286, is related to a type confusion issue that could allow an attacker to read memory contents or cause a denial-of-service. It is caused by the way the popular cryptographic library handles X.509 certificates, and is likely to only affect applications that have a custom implementation for retrieving a certificate revocation list over a network. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. Type confusion flaws can be very dangerous, as they can be used to make a program behave in unintended ways, possibly leading to a crash or code execution. If exploited, these vulnerabilities could cause an application to crash, reveal memory contents, and even allow an attacker to recover plaintext messages sent over a network using a timing-based side-channel in a Bleichenbacher-style attack. This fix comes almost two months after OpenSSL patched a low-severity flaw that occurs when processing an X.509 certificate, resulting in a denial-of-service condition.

This Cyber News was published on thehackernews.com. Publication date: Thu, 09 Feb 2023 10:56:02 +0000


Cyber News related to Fixing Security Issues with the Latest OpenSSL Update

CVE-2022-1434 - The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being ...
1 year ago
CVE-2022-30426 - There is a stack buffer overflow vulnerability, which could lead to arbitrary code execution in UEFI DXE driver on some Acer products. An attack could exploit this vulnerability to escalate privilege from ring 3 to ring 0, and hijack control flow ...
2 years ago
OpenSSL Is Hiring - OpenSSL is hiring for a mid level engineer to join our team. We are seeking a Software Engineer to join our team. As a Software Engineer at OpenSSL, you will play a vital role in sustaining and evolving the core cryptography and network protocol ...
4 months ago Openssl.org
DevSecOps: Shifting Security to the Left - This blog explains how Shifting Security to the Left introduces security in the early stages of the DevOps Lifecycle, thus fixing software bugs proactively. Throughout this process, it feels like security has been left behind a little. 'Shifting ...
10 months ago Feeds.dzone.com
Cybersecurity jobs available right now: October 2, 2024 - Help Net Security - As an Applied Cybersecurity Engineer (Center for Securing the Homeland), you will apply interdisciplinary competencies in secure systems architecture and design, security operations, threat actor behavior, risk assessment, and network security to ...
1 week ago Helpnetsecurity.com
Gaining Insights on the Top Security Conferences - A Guide for CSOs - Are you a CSO looking for the best security events around the world? Well, you have come to the right place! This article is a guide to the top security conferences that offer essential security insights to help make informed decisions. Security ...
1 year ago Csoonline.com
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
10 months ago Microsoft.com
Adding OpenSSL Generated Certificates to Your Server: A Comprehensive Guide - Utilizing SSL/TLS certificates to encrypt data transferred between your server and clients is one of the fundamental components of server security. The process of adding OpenSSL-generated certificates to your server will be covered in detail in this ...
8 months ago Feeds.dzone.com
Embracing Security as Code - Everything is smooth until it isn't because we traditionally tend to handle the security stuff at the end of the development lifecycle, which adds cost and time to fix those discovered security issues and causes delays. Over the years, software ...
9 months ago Feeds.dzone.com
What Is Cloud Security Management? Types & Strategies - Cloud security management is the process of safeguarding cloud data and operations from attacks and vulnerabilities through a set of cloud strategies, tools, and practices. The cloud security manager and the IT team are generally responsible for ...
4 months ago Esecurityplanet.com
CVE-2021-23841 - The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while ...
10 months ago
CVE-2020-1971 - The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they ...
2 years ago
OpenSSL 3.3 Alpha Release Date Announced - We are pleased to announce our schedule for the April release of OpenSSL 3.3. In accordance with our adoption of biannual time-based releases following the release of OpenSSL 3.2, this will be our first time-based release. An alpha of OpenSSL 3.3 ...
6 months ago Openssl.org
The First 10 Days of a vCISO’S Journey with a New Client - Cyber Defense Magazine - During this period, the vCISO conducts a comprehensive assessment to identify vulnerabilities, engages with key stakeholders to align security efforts with business objectives, and develops a strategic roadmap to prioritize actions and resources. If ...
1 week ago Cyberdefensemagazine.com
CVE-2009-3874 - Integer overflow in the JPEGImageReader implementation in the ImageI/O component in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary ...
5 years ago
6 Best Cloud Security Companies & Vendors in 2024 - Cloud security companies specialize in protecting cloud-based assets, data, and applications against cyberattacks. To help you choose, we've analyzed a range of cybersecurity companies offering cloud security products and threat protection services. ...
7 months ago Esecurityplanet.com
How to Download the Windows 11 KB5022360 Preview Update with 15 Improvements? - Are you looking to download the Windows 11 KB5022360 Preview update with 15 improvements? Microsoft has recently released the preview of the Windows 11 KB5022360 update that contains several improvements and fixes, including nine security updates, to ...
1 year ago Bleepingcomputer.com
IaaS vs PaaS vs SaaS Security: Which Is Most Secure? - Security concerns include data protection, network security, identity and access management, and physical security. While IaaS gives complete control and accountability, PaaS strikes a compromise between control and simplicity, and SaaS provides a ...
9 months ago Esecurityplanet.com
10 Best Security Service Edge Solutions - Security Service Edge is an idea in cybersecurity that shows how network security has changed over time. With a focus on customized solutions, Security Service Edge Solutions leverages its expertise in multiple programming languages, frameworks, and ...
8 months ago Cybersecuritynews.com
Five business use cases for evaluating Azure Virtual WAN security solutions - To help organizations who are evaluating security solutions to protect their Virtual WAN deployments, this article considers five business use cases and explains how Check Point enhances and complements Azure security with its best-of-breed, ...
5 months ago Blog.checkpoint.com
Windows 11 KB5035853 update released, here's what's new - Microsoft has released the KB5035853 cumulative update for Windows 11 23H3 and 22H2, with 21 fixes and changes, including fixing a bug causing 0x800F0922 errors when installing updates. This update is mandatory as it contains the Microsoft March 2024 ...
6 months ago Bleepingcomputer.com
IaaS Security: Top 8 Issues & Prevention Best Practices - Understanding the risks, advantages, and best practices connected with IaaS security is becoming increasingly important as enterprises shift their infrastructure to the cloud. By exploring the top eight issues and preventative measures, as well as ...
9 months ago Esecurityplanet.com
CVE-2019-1552 - OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / ...
1 year ago
Windows 10 KB5037768 update released with new features and 20 fixes - Microsoft has released the KB5037768 cumulative update for Windows 10 21H2 and Windows 10 22H2 with twenty changes, including account notifications in the Start Menu and Widgets on the lock screen. KB5037768 is a mandatory Windows 10 cumulative ...
4 months ago Bleepingcomputer.com
Windows 11 KB5039302 update released with 9 changes or fixes - The June 2024 optional update for Windows 11 is now available. The latest update, KB5039302, is for Windows 11 version 22H2 and newer and brings several new features and fixes. Since this is an optional update, it doesn't introduce major new features ...
3 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)