OpenSSL Patch for High Severity Vulnerability Coming Tomorrow

OpenSSL is a widely used open source software library that provides encrypted Internet connections using SSL/TLS for a majority of websites as well as other secure services.

Over the past year, the Open SSL team has been researching and creating patches for several bugs, one of the most famous being Heartbleed. This bug resulted in a long process of patching in April 2014, and to this day, there are still servers on the Internet that are vulnerable to Heartbleed.

Mark Cox of the Open SSL Project sent a notification through their mailing list about an upcoming patch for an unknown vulnerability:

The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p.

These releases will be made available on 9th July. They will fix a single security defect classified as “high” severity. This defect does not affect the 1.0.0 or 0.9.8 releases.

This bug will require a migration to the new version of the open source crypto library. The notification came with very little detail of the actual vulnerability and any information shared in advance could be exploited in live hacks by malicious hackers.

There were a couple of high severity vulnerabilities fixed in March of 2015, including denial-of-service (DoS) flaw (CVE-2015-0291) that allowed attackers to crash online services and FREAK (CVE-2015-0204) that allowed attackers to force clients to use weaker encryption.

When the patch does become available tomorrow, all administrators and developers should patch their systems quickly and efficiently but follow best practices of testing patches before they are pushed to production. 

If you are an Amazon Web Services (AWS) customer, you should know: