**BREAKING: OpenSSL Issues Critical Security Updates to Fix 12 Flaws**

OpenSSL, the widely-used open-source cryptographic library, has released critical security updates to address a staggering 12 vulnerabilities, including a high-severity remote code execution flaw.

The update is the result of a collaborative effort between OpenSSL and cybersecurity firm Aisle, which discovered the twelve vulnerabilities. According to the advisory, the addressed issues are primarily tied to memory safety, parsing robustness, and resource handling.

**Remote Code Execution Flaw: The Most Severe Issue**

One of the most critical flaws is a high-severity remote code execution vulnerability, which can allow attackers to execute arbitrary code on vulnerable systems. This type of vulnerability is particularly concerning as it allows hackers to gain control over affected systems and potentially spread malware.

**Other Vulnerabilities Addressed in the Update**

The update also fixes several other vulnerabilities, including:

  • Stack and heap overflows in PKCS#12 and CMS parsing
  • NULL pointer dereferences and type-confusion bugs in ASN.1, PKCS#7, QUIC, and TimeStamp handling that can cause denial of service
  • Out-of-bounds writes in auxiliary APIs like BIO filters
  • A logic bug in the CLI signing tool that failed to fully authenticate large inputs
  • A TLS 1.3 certificate compression issue that enabled memory exhaustion
  • A low-level OCB mode flaw that could leave data partially unprotected

**Assessing the Severity of the Vulnerabilities**

The two most severe issues are assessed as High severity, with the rest being categorized as Low severity. According to the bulletin, these low-severity vulnerabilities are primarily constrained to Denial of Service or integrity gaps in narrower usage scenarios (CLI tools, legacy PKCS#7, TimeStamp, BIO filters, OCB low-level API, PKCS#12 parsing type confusions with DoS-only impact).

**What You Can Do to Protect Yourself**

As a responsible journalist and cybersecurity enthusiast, I urge all users of OpenSSL to update their systems as soon as possible. The vulnerability bulletin is available on the OpenSSL website, where you can find detailed information about the patched vulnerabilities and instructions on how to apply the updates.

**Stay Informed with SecurityAffairs**

Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest news and updates on cybersecurity threats and vulnerabilities. Stay safe online!