OpenSSL Issues Fix For Remote Code Execution Attacks

server

OpenSSL is a toolkit that implements Secure Sockets Layer and Transport Layer Security protocols, as well as a full strength, general purpose cryptography library.

The race condition flaw was found in the OpenSSL TLS server extension parsing code, affecting some multithreaded OpenSSL applications. Researchers at Red Hat Security, which relies on OpenSSL for an array of Red Hat Enterprise Linux products, warned in an advisory that under certain conditions, attackers could exploit the vulnerability by triggering a race condition that could cause the OpenSSL application to crash, or enable them to launch of a malicious attack.

The vulnerability, which Red Hat Security researchers ranked as "important" on their Common Vulnerability Scoring System, affects all versions of the OpenSSL supporting TLS extensions, including OpenSSL 0.9.8f through 0.9.8o, 1.0.0 and 1.0.0a.

"Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses Open SSL's internal caching mechanism," according to an OpenSSL Project advisory. "Servers that are multiprocess and/or disable internal session caching are not affected."

id
unit-1659132512259
type
Sponsored post

The issue does not thus far affect Apache HTTP server and Stunnel.

Meanwhile, security experts recommend that users upgrade their systems from all OpenSSL 0.9.8 releases, (0.9.8f through 0.9.8o) to the latest OpenSSL 09.8p release, or to 1.0.0b from 1.0.0a. All of the updates, available on the Red Hat Network , contain a patch that resolves the security glitch.

Meanwhile, users can apply a relevant source code patch available at the .

The update will require that all services linked to the OpenSSL library be restarted or the system be rebooted altogether.