But many popular open-source programming libraries that support it – including OpenSSL, LibreSSL and BoringSSL, “have kept old-school product names for the sake of familiarity,” Ducklin commented in a recent drilldown into the OpenSSL bugs. TLS has replaced SSL, which contained what Sophos’s Paul Ducklin called a “huge” number of cryptographic flaws.
That’s because OpenSSL is mostly used by network software – including being widely used by Internet servers and the majority of HTTPS websites – that use the TLS protocol (transport layer security), formerly known as SSL (secure sockets layer), to protect data in transit. These OpenSSL flaws are spreading ripples far and wide.
The vulnerabilities are tracked as CVE-2021-3711 – a high-severity buffer overflow related to SM2 decryption– and CVE-2021-3712, a medium-severity flaw that can be exploited for DoS attacks and possibly for the disclosure of private memory contents. On Monday, QNAP put out two security advisories about OpenSSL remote-code execution and denial-of-service (DoS) bugs, fixed last week, that affect its network-attached storage (NAS) devices.
0 kommentar(er)
