Just two months after the Heartbleed Bug scare, the open-source group for OpenSSL today warned of a new set of vulnerabilities discovered in the protocol that could let an attacker carry out man-in-the-middle and buffer-overflows attacks or otherwise compromise data integrity.\n\n\nSome security experts said these new vulnerabilities shouldn\u2019t be discounted but don\u2019t appear as serious as Heartbleed.\n\n\nThe OpenSSL Group today detailed a half dozen basic problems that require patching in various versions of OpenSSL-based servers and clients that use the protocol for encryption. The SANS Institute, in a webcast by director Johannes Ullrich in the SANS division known as the Internet Storm Center, quickly moved to put perspective on the OpenSSL advisory to its online audience of security practitioners.\n\n\n+ ALSO ON NETWORK WORLD Core Infrastructure Initiative to delve into security of OpenSSL, OpenSSH, Network Time Protocol +\n\n\n\u201cWhat you should tell management is this isn\u2019t as bad as Heartbleed,\u201d said Ullrich.\n\n\nAlthough the new vulnerabilities in OpenSSL may not necessarily need to be patched today, they should be addressed in the next few days as vendors make it known if their products are impacted, Ullrich said.\n\n\nThe OpenSSL advisory pointed to potential man-in-the-middle attacks related to a \u201cDTLS recursion flaw\u201d and \u201cDTLS invalid fragment vulnerability,\u201d which only impact SSL used over the sessionless protocol UDP. This only affects SSL over UDP protocols that uses DTLS, Ullrich said, which could mean some types of VPNs, VoIP, or WebRTC. Both the server and the client have to be vulnerable for an attacker to take advantage of these flaws.\n\n\nUllrich said the vulnerability that troubled him most is the buffer overflow attack possibility in the DTLS invalid fragment vulnerability, though there were no known exploits at the moment. He said more information is needed about this.\n\n\nThere are also two denial-of-service vulnerabilities in some versions of OpenSSL, plus another issue identified as \u201cAnonymous ECDH DoS vulnerability\u201d in which enabling of elliptic-curve ECDH cipherssuites are subject to a denial-of-service attack. Ullrich said Anonymous ECDH should be disabled in any event.\n\n\nIn summarizing how to start on addressing this new batch of OpenSSL issues, Ullrich advised security managers to take what they learned during the Heartbleed Bug episode and apply it. That means identifying what users have in terms of OpenSSL implementations to determine what software is specifically vulnerable. There should also be monitoring for server crashes. However, it\u2019s not realistic to think about abandoning use of SSL since it\u2019s a \u201ccritical technology\u201d used to protect data, he said.\n\n\nUllrich noted that this time, the OpenSSL project did provide some advance notice for large ISPs and software providers about the new OpenSSL vulnerabilities so they wouldn\u2019t be caught off guard, as happened with the Heartbleed Bug.\n\n\nSome security vendors are also weighing in on the advisory.\n\n\nJean Taggart, security researcher at malwarebytes, said, \u201cWe shouldn\u2019t be surprised that there are more flaws in the OpenSSL cryptographic library. Most notable is that the flaws discovered again do not affect the cryptographic methods used, but their implementation. The flaw is certainly less severe than Heartbleed, as a malicious actor must be in control of one of the nodes in between the intended victim and its destination, hence the man-in-the-middle references. This flaw enables forcing TLS (the transport layer security) to dumb down the encryption used to secure the flow of information to unsafe levels, where it can be decrypted, read and even possibly modified. It\u2019s often said that security is a process, not a product. The independent code review, subsequent bug discovery and patching process is the strength of open source."