OpenSSL official release of the vulnerability warning, remind the system administrator to prepare for the upgrade of OpenSSL. The latest version of OpenSSL will be released on July 9 (Thursday) to fix an undisclosed high-risk vulnerability. Many security experts speculate that this high-risk vulnerability could be another " blood drops in the heart ".
Mysterious high-risk 0day vulnerability
OpenSSL is a widely used open source software library that uses SSL and TLS to provide encrypted Internet connectivity to most websites.
The OpenSSL project team announced this week that a security vulnerability that was set at "high risk" was addressed in the upcoming release of the OpenSSL encryption library in new versions 1.0.2d and 1.0.1p.
In addition to knowing that it does not affect 1.0.0 or 0.9.8, there is no more detailed information about this mysterious security vulnerability. In a mailing list record published the day before yesterday, developer Mark J Cox states:
The OpenSSL project team announced the forthcoming release of the new version of OpenSSL 1.0.2d and 1.0.1p, two new versions to be released on July 9. It is worth noting that the two new releases have fixed a vulnerability that is rated as "high risk" in the security rating. However, this vulnerability does not affect 1.0.0 or version 0.9.8. ”
OpenSSL is officially alerted before releasing a new version, most likely to prevent hackers from exploiting the vulnerability before it is released to the public.
Many security experts speculate that this high-risk vulnerability could be another " blood drops in the heart (Heartbleed) "vulnerability or Poodle Vulnerability , both of which were thought to be the worst tls/ssl loopholes, until today it is thought they still affect the Web site on the Internet.
OpenSSL high-risk vulnerability review
Heart Bleed Vulnerability: the vulnerability was found in earlier versions of OpenSSL last April, allowing hackers to read sensitive content of the victim's encrypted data, including credit card details, and even steal encrypted SSL keys from the Web server or client software.
Poodle Vulnerability: a few months later, a serious vulnerability was found in an old but widely used SSL 3.0 encryption protocol known as Poodle (Padding Oracle on downgraded Legacy encryption). The vulnerability could allow an attacker to decrypt the contents of an encrypted connection.
OpenSSL fixed a number of high-severity vulnerabilities in an update this March, including a denial of service Vulnerability (cve-2015-0291), which allowed attackers to attack and crash online services, and Freak Vulnerability (cve-2015-0204). It allows an attacker to force the client to use weak encryption.
OpenSSL to release security patches tomorrow to fix undisclosed 0day high-risk vulnerabilities