To Patch or Not To Patch? That is the Question.

OpenSSL Goes Critical, Again!

OpenSSL caused one of the great vulnerabilities on the Internet, and it has one of the weakest track records of any software system. And, so, again, it is on the naughty step with a major bug that has yet to be fixed. For many, OpenSSL is the Swiss Army Knife of Cybersecurity, and it is the place that many turn to, in order to check their cryptographic methods. But underneath, there’s a tangle of code that has evolved over the decades, and that does not have a strong software engineering approach to its design.

The new bug (CVE-2022–2068) focuses in on TLS communications and involves a bug which corrupts the memory — a heap buffer overflow — for Intel’s Advanced Vector Extensions 512 (AVX512). But things get a little worse, as this problem was meant to be fixed by (CVE-2022–1292). As we can see, the CVE is now under reanalysis and has been given a rating of 9.8 (critical):

The previous update was OpenSSL 3.0.4, and needs to be updated. Overall, it is possible for an intruder to trigger the memory corruption, and then run malicious code. While there is no reported exploits to this yet, there is a race to patch systems before facing another Heartbleed case.

One way to mitigate is to use OpenSSL 1.1.1, and not move to Version 3. Another…