Dive Brief:

• The OpenSSL Project issued a patch Tuesday for two high-severity vulnerabilities related to email address buffer overflows that could lead to denial of service crashes or potentially remote code execution.
• The two vulnerabilities include the X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)  and X.509 Email Address 4-Byte Buffer Overflow (CVE-2022-3602), OpenSSL said in an advisory. 
• OpenSSL officials last week warned organizations to prepare for a critical security vulnerability, but dialed back the warnings in the advisory released Tuesday after consulting with multiple security researchers. 

Dive Insight:

The high-severity advisory dials back initial fears of a critical vulnerability, however security researchers agree that organizations still need to take the advisory seriously and patch their systems. 

Brian Fox, Sonatype co-founder and CTO, warned that memory corruption issues can be nuanced, so a proactive security fix would be the safest option. 

“While an exploit right now seems complicated and limited in scope, given enough time, attackers may find novel ways to leverage this,” Fox said via email. “Upgrading is the best way to close the door now, and importantly, in the future.”

The Cybersecurity and Infrastructure Security Agency issued an advisory late Tuesday urging users and administrators to apply security upgrades. CISA and the Netherlands National Cyber Security Centrum have put together a Github repository that includes an overview of software affected by the vulnerability.

OpenSSL concerns spread rapidly throughout the industry as related issues led to the historic Heartbleed vulnerability back in 2014, an event widely considered one of the most destructive cyber events in decades. 

Editor’s note: This article has been updated to include CISA’s advisory with additional details.