Brace yourself. Mystery OpenSSL high severity vulnerability due to be fixed on Thursday

Brace yourself. Mystery OpenSSL high severity vulnerability due to be fixed on Thursday

New versions of OpenSSL, the open-source software widely used to encrypt internet communications using SSL/TLS, are due to be released on Thursday, patching a series of security vulnerabilities.

And one of those security vulnerabilities, according to the software’s developers, is considered “highly serious”.

Sign up to our free newsletter.
Security news, advice, and tips.

Details of the nature of the security flaws are currently non-existent, but an advisory published on Monday does explain that updates will be issued for OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

Openssl advisory

Inevitably, there is much speculation online that the vulnerability could be comparable to the hard-hitting Heartbleed bug (aka CVE-2014-0160) discovered last year, or its rather less dangerous compadre, POODLE (aka CVE-2014-3566).

It’s understandable that the OpenSSL Project isn’t saying any more yet – as they will be worried that there is a the potential to tip off malicious hackers who might be able to exploit the vulnerability.

As Optimal Security contributor Orion described earlier this month, a single bug in open source software can have worldwide repercussions, because the software is so pervasive.

And when the open source software is OpenSSL, a critical component in the underlying technology used to secure internet transactions, it is essential that we take any warning of security holes seriously.

The heads-up about this latest high severity security hole in OpenSSL, arrives less than two weeks after it was revealed that the Linux Foundation’s Core Infrastructure Initiative (CII) is spending millions of dollars on a project designed to harden open source technologies.

The likes of Amazon, IBM, Google, Facebook and many other big industry names are stumping up the cash to fund security consultants and cryptography experts in a significant audit of OpenSSL’s code, because they recognise how important it is that the widely-used code is secure.

It’s never pleasant knowing that there is a bug in such an essential part of many internet systems, and that a patch to fix it and the knowledge of what it’s potential impact is remain a day or two away.

But at least we know that a patch is on its way, and we can feel more confident than ever that the security of OpenSSL should significantly improve over time thanks to the efforts of the industry looking closely at its code.

This article originally appeared on the Optimal Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.