OpenSSL has released a series of patches against six vulnerabilities, including a pair of high-severity flaws that could allow attackers to execute malicious code on a web server as well as decrypt HTTPS traffic .
OpenSSL is an open-source cryptographic library that is the most widely being used by a significant portion of the Internet services; to cryptographically protect their sensitive Web and e-mail traffic using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol.
One of the high-severity flaws, CVE-2016-2107 , allows a man-in-the-middle attacker to initiate a " Padding Oracle Attack " that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.
A Padding Oracle flaw weakens the encryption protection by allowing attackers to repeatedly request plaintext data about an encrypted payload content.
The bug exists in the cryptographic library since 2013, when OpenSSL patched another Padding Oracle flaw called Lucky 13 that compromised TLS cryptography.
The second high-severity bug, CVE-2016-2108 , is a memory corruption flaw in the OpenSSL ASN.1standard for encoding, transmitting and decoding data that allows attackers to execute malicious code on the web server.
The vulnerability only affects OpenSSL versions prior to April 2015. Although the issue was fixed back in June 2015, the security impact of the update has now come to light.
According to OpenSSL, this flaw can potentially be exploited using maliciously-crafted digital certificates signed by trusted certificate authorities.
OpenSSL also patched four other low-severity vulnerabilities including two overflow vulnerabilities, one memory exhaustion issue and one low severity bug that resulted in arbitrary stack data being returned in the buffer.
You can find more technical details about the critical OpenSSL vulnerabilities on CloudFlare.
The security updates have been released for both OpenSSL versions 1.0.1 and 1.0.2 and administrators are advised to apply patches as soon as possible.