"...[I]f an application deserializes untrusted ASN.1 structures containing an ANY field, and later reserializes them, an attacker may be able to trigger an out-of-bounds write. This has been shown to cause memory corruption that is potentially exploitable with some malloc implementations."The second "high" severity issue (CVE-2016-2107) allows a man-in-the-middle (MitM) actor to use a padding oracle attack to probe an encrypted message for clues about its plaintext content whenever the connection uses an AES CBC cipher and the server support AES-NI. Attackers could potentially exploit this flaw, which was introduced as part of the fix for the Lucky 13 padding attack back in 2013, to steal login passwords encrypted over HTTPS. As security expert Kenneth White told Ars Technica, these two vulnerabilities are at least partially due to OpenSSL's reliance on older encryption schemes:
"Both of these bugs are the result of complex legacy interoperability which will be solved by moving off of known dangerous protocol constructions like CBC (which is mandatory under TLS 1.3), and by developing and adopting much less complex certificate encoding and parsing software."OpenSSL 1.0.2 users should upgrade to 1.0.2h, whereas 1.0.1 users should upgrade to 1.0.1t. For information on the remaining four security updates, all of which address "low" severity vulnerabilities, please refer to this month's security advisory. News of these patches come less than one year after OpenSSL issued a fix for a high-severity alternative chains certificate forgery bug.