The OpenSSL Project team announced on Monday the 6th of July that OpenSSL versions 1.0.2d and 1.0.1p will be released shortly to address a serious security bug. According to the developers of the popular open-source toolkit for SSL/TLS, OpenSSL 1.0.2d and 1.0.1p will be released on Thursday, July 9, and they will fix a single high severity vulnerability.The announcement comes less than a month after OpenSSL versions 1.0.2b, 1.0.1n, 1.0.0s and 0.9.8zg were released to address several moderate and low severity bugs, most of which can be exploited for denial-of-service (DoS) attacks.
The latest versions also patch Logjam (CVE-2015-4000), a TLS bug that can be exploited through man-in-the-middle (MitM) attacks to downgrade connections to 512-bit export-grade cryptography. The vulnerability allows an attacker to read and alter encrypted data.
Given malware writers’ ability to very rapidly incorporate vulnerabilities such as these into commercially available malware kits, IT managers are advised to review their infrastructure to ensure that there is a full inventory of all the instances where OpenSSL is used, and to put a plan in place to patch vulnerable servers as soon as possible after the patch is released.