OpenSSL on Thursday patched three vulnerabilities in its latest update, and reminded users running version 1.0.1 of the cryptographic library that that security support will end Dec. 31.
Of the three bugs, only one was rated high severity and could lead to OpenSSL crashes. Only OpenSSL 1.1.0 is affected, earlier versions are not. Users should upgrade to OpenSSL 1.1.0c.
The vulnerability was privately disclosed by Robert Swiecki, an information security engineer at Google.
The flaw affects TLS connections using ChaCha20-Poly1305, OpenSSL said; ChaCha20-Poly1305 is a ciphersuite in AEAD mode, and was recently standardized.
“TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash,” OpenSSL said. “This issue is not considered to be exploitable beyond a DoS.”