OpenSSL security update less critical than expected, still recommended

As announced on Monday, the OpenSSL project team has released new versions of the cryptographic library that fix a number of security issues.

The announcement created a panic within the security community, who were dreading the discovery of another Heartbleed-type bug, but as it turns out, the high severity issue fixed is a bug than can be exploited in a DoS attack against servers.

The team has also re-classified the FREAK bug as high severity, but the library has been patched for that in January.

Other issues fixed are mostly memory corruption and DoS flaws of moderate and low severity.

Given that Cryptography Services is working on an audit of OpenSSL, we can expect similar scares and the patching of high priority bugs in the coming months.

Users are advised to update to OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

Rapid7’s global security strategist, Trey Ford, comments: “We expect to see corresponding attack code quickly built by those reverse engineering the published patches – steps to push these fixes to internet exposed systems should be prioritized. Export ciphers are overdue for retirement, and organizations using them should looks for ways to upgrade to more stringent encryption standards.”