Joined: 03 Mar 2002
|Posted: Tue Mar 15, 2022 10:18 pm Post subject: About the latest OpenSSL vulnerability
Today (March 15, 2022), OpenSSL project has reported a vulnerability in one of its core computation algorithms that mainly affects reading elliptic curves certificates. Some specially crafted certificates and/or private keys based on elliptic curves can send OpenSSL (and its calling process) in an infinite loop:
As you know Abyss Web Server uses OpenSSL to handle parts of its TLS/SSL support. Hopefully this particular vulnerability is very unlikely to affect it: Contrarily to Web browsers, Abyss Web Server does not validate external certificates as part of its normal operation. It also does not accept client certificates.
Maliciously crafted certificates that could trigger this bug have almost no chance to be encountered by a Web server.
Despite this low risk, we are going to release in the very near future a version which includes a fixed OpenSSL version.
Follow @abyssws on Twitter
Subscribe to our newsletter
Aprelium - https://aprelium.com