OpenSSL cryptographic library has released an update which will fix the six discovered issues. Only two of them are labeled as “critical”. OpenSSL is an important part of the Internet infrastructure, because it is one of the most widely used encryption elements. It is widely used in the desktop applications, mobile and server-based applications, which helps to use SSL / TLS encryption for data transmittion.
Security issues related to the OpenSSL, were revealed for the first time about two years ago, when the popular Heartbleed bug was first seen. Despite the fact that Heartbleed was fixed two years ago, it still affecting everyday operations of the thousands servers which are still working with vulnerable versions. Memory corruption issue in the encoder Abstract Syntax Notation 1, has been mentioned among the critical issues found in the OpenSSL this week.
Other vulnerabilities marked as CVE-2016-2108, are more complicated. These vulnerabilities are a combination of the two bugs – first, which is described above, and the second, which is related to incorrect handling of tags that has been publicly noted on the tracker with OpenSSL problems. The combination of these problems can lead to security vulnerabilities.
Another vulnerability named CVE-2016-2107, was a result of the patch, which was used in OpenSSL back in 2013. This vulnerability allows Lucky13 attack that used TLS-headings, which include 13 bytes of data.
Lucky13 and new attack CVE-2016-2107 exploit CBC cipher in TLS. There is a special online tool that allows organizations to quickly and easily test whether they are open to attack via the vulnerability CVE-2016-2107.
There are patches already available which will fix these issues. However, these issues are referred to a low level of risk, but it is better to install appropriate patches in a timely manner.