OpenSSL patches High risk vulnerability (CVE-2020-1971)

OpenSSL patches High risk vulnerability (CVE-2020-1971)

OpenSSL patched a High severity vulnerability CVE-2020-1971 in certain OpenSSL versions. As a result, a bad actor could exploit and launch a Denial of Service attack against impacted systems.

OpenSSL described the “EDIPARTYNAME NULL pointer de-reference” vulnerability (CVE-2020-1971) in a recent security advisory:

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function ENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
may occur leading to a possible denial of service attack.

OpenSSL

All OpenSSL 1.1.1 and 1.0.2 versions are affected by this vulnerability and should be upgraded to 1.1.1i.

On a related note, Microsoft also released the December 2020 Security Updates that includes patches for 58 vulnerabilities, 9 of them rated Critical.

Related Articles

Tags: , ,