Openssl Faced for a number of vulnerabilities, including a serious error in encryption tools. This error could potentially subject users to harmful attacks.
Vulnerability cve-2023-0286 relates to the variety “Type Confusion” (“A confusion of types “) that can allow the attacker to read the contents of the memory or cause a refusal to maintain,” the OpenSSL representatives said in a statement.
“In most cases, the attack requires that the attacker provides a chain of certificates and CRL, not one of which should have a valid signature. If the attacker controls only one of these inputs, the other entrance should already contain the address X.400 in as a CRL distribution point, ”added to Openssl.
Errors associated with the confusion of types may have serious consequences, since they can be used for deliberate forced behavior of the program in an unintentional way, which can lead to a malfunction of the malicious code.
The problem was fixed in the Openssl 3.0.8, 1.1.1T and 1.0.2ZG versions. Other vulnerabilities, eliminated as part of the latest updates, include: cve-2022-4203 , cve-2022-4304 , cve-2022-4450 , cve-2023-0215 , cve-2023-0216 , cve-2023-0217 , CVE-2023-0401 .
Successful use of the above vulnerabilities can lead to a malfunction of the application, revealing the contents of memory and even restoration of messages sent on the network with open text.
Also at the beginning of the week we reported the correction of another critical vulnerability that affected Opensh, under the identifier CVE-2023- 25136 . Despite the impressive rating of CVSS 9.1 out of 10, security researchers reported that the process of exploitation of vulnerability is too difficult for active use.
All users of these products are recommended to be updated as soon as possible to the latest version to minimize any risks.