OpenSSL is a widely used open source software library that provides encrypted Internet connections using SSL/TLS for a majority of websites as well as other secure services.
Over the past year, the Open SSL team has been researching and creating patches for several bugs, one of the most famous being Heartbleed. This bug resulted in a long process of patching in April 2014, and to this day, there are still servers on the Internet that are vulnerable to Heartbleed.
Mark Cox of the Open SSL Project sent a notification through their mailing list about an upcoming patch for an unknown vulnerability:
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p.
These releases will be made available on 9th July. They will fix a single security defect classified as “high” severity. This defect does not affect the 1.0.0 or 0.9.8 releases.
This bug will require a migration to the new version of the open source crypto library. The notification came with very little detail of the actual vulnerability and any information shared in advance could be exploited in live hacks by malicious hackers.
There were a couple of high severity vulnerabilities fixed in March of 2015, including denial-of-service (DoS) flaw (CVE-2015-0291) that allowed attackers to crash online services and FREAK (CVE-2015-0204) that allowed attackers to force clients to use weaker encryption.
When the patch does become available tomorrow, all administrators and developers should patch their systems quickly and efficiently but follow best practices of testing patches before they are pushed to production.
If you are an Amazon Web Services (AWS) customer, you should know:
- TLS is used with every AWS API and is also available directly to customers of many AWS services including Elastic Load Balancing (ELB), AWS Elastic Beanstalk,Amazon CloudFront, Amazon S3, Amazon RDS, and Amazon SES.
- With TLS being a large part of Amazon’s services, they provide an alternative to OpenSSL that you can use to provide TLS/SSL to your AWS environments. In order to simplify Amazon’s TLS implementation and as part of AWS’s support for strong encryption, they announced availability of a new Open Source implementation of the TLS protocol called s2n. s2n is a library that has been designed to be small and fast, with simplicity as a priority. s2n avoids implementing rarely used options and extensions and is just more than 6,000 lines of code, as opposed to the the 500,000 lines of code used in OpenSSL .
- If you are interested in looking at the code, they have released it through Github: https://github.com/awslabs/s2n