OpenSSL patches two high-severity flaws

Versions 1.0.2h and 1.0.1t of the cryptographic library also patch several more bugs of lesser impact.

By Fahmida Y. Rashid

OpenSSL has released versions 1.0.2h and 1.0.1t of its open source cryptographic library, fixing multiple security vulnerabilities that can lead to traffic being decrypted, denial-of-service attacks, and arbitrary code execution. One of the high-severity vulnerabilities is actually a hybrid of two low-risk bugs and can cause OpenSSL to crash.

Two seemingly unrelated bugs can be chained together to create a serious security problem. The first bug in CVE-2016-2108 is an issue with the ASN.1 parser that triggers a buffer underflow and performs an out-of-bounds write if zero is represented as a negative value. While the flaw was quietly patched last year, it wasn’t considered a security vulnerability because an attacker would not be able to get the parser to create the value. However, there was an unrelated bug where the ASN.1 parser could misinterpret a large universal tag as a negative zero value.

To read the entire article, please click here.