OpenSSL, one of the most widely used encryption libraries globally, has just released three new security updates to cover eight vulnerabilities.
The updates cover the two current open-source versions that the organization supports, as well as the outdated 1.0.2 version series, which is only available to customers who pay for premium support.
The updated versions of OpenSSL 3.0 series will be version 3.0.8, OpenSSL 1.1.1 series will be version 1.1.1t, and OpenSSL 1.0.2 series will be version 1.0.2zg.
“If you’re wondering why the older versions have three numbers plus a letter at the end, it’s because the OpenSSL project used to have four-part version identifiers, with the trailing letter acting as a counter that could support 26 sub-versions,” said the Sophos analysis report of the patches.
“As you can see from what’s happened to version 1.0.2, 26 sub-versions turned out not to be enough, leaving a quandary of what to do after version Z-for-Zulu: go back to Alpha-Alpha, which confusingly breaks alphabetic ordering, or just stick with Z-for-Zulu and start a sub-sub-version cycle of A-to-Z.
The older versions had a three-number and a letter system, but the OpenSSL team has now adopted the X.Y.Z three-number versioning system, with the current version being 3.0 and sub-version 8.
There are eight CVE-numbered bug fixes in total, with seven of them caused by memory mismanagement issues.
Like OpenSSH, OpenSSL is written in C and managing memory allocation and deallocation can be challenging.
“Unfortunately, even experienced programmers can forget to match up their malloc() calls and their free() calls correctly, or can lose track of which memory buffers belong to what parts of their program,” said the Sophos report.
The seven memory-related bugs are: CVE-2023-0286, CVE-2023-0215, CVE-2022-4450, CVE-2022-4203, CVE-2023-0216, CVE-2023-0217, and CVE-2023-0401, affecting all or specific versions of OpenSSL.
Vulnerability CVE-2023-0286 is rated high and all others are rated moderate.
What troubles OpenSSL?
A NULL dereference occurs when an attempt is made to use the number 0 as a memory address. This usually indicates an incorrectly initialized storage variable since zero is never considered a valid data storage location.
Most modern operating systems have labelled the first few thousand bytes of memory as unusable to prevent hardware-level errors.
When a program tries to access the zero page, the operating system will shut it down. This type of bug is prone to denial-of-service attacks as a cybercriminal can deliberately trigger the vulnerability and cause the program to crash repeatedly.
An invalid pointer dereference is similar, but it means trying to access an address that was not assigned.
OpenSSL and earlier bugs
The previous major OpenSSL patch came in November 2022, when OpenSSL cryptography library released an update to fix a critical vulnerability.
That was only the second time the project has faced a flaw classified as ‘critical,’ with the first being the well-known Heartbleed vulnerability (CVE-2014-0160).
Heartbleed was a memory handling bug that allowed attackers to access sensitive information from vulnerable servers.
The November patch (OpenSSL 3.0.7) affected only OpenSSL version 3.0. However, OpenSSL version 3.0.x was only released in 2021 and may limit the extent of the problems caused by the announcement.
One security expert from Google suggested then, based on recent software commits and a blog post by the OpenSSL team, that the update might relate to a denial-of-service issue.
Even Mark Cox, VP of Security at the Apache Software Foundation, tweeted about that as a fix for a “critical CVE”, raising concerns. However, it turned out to be less severe than expected.
Although the two email security bugs were rated 8.8 and considered high, they only affect OpenSSL versions 3.0.0 to 3.0.6. If you’re using OpenSSL 1.1.1 or 1.0.2, there’s no need to worry.