{"id":49141,"date":"2022-11-02T14:48:31","date_gmt":"2022-11-02T14:48:31","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/33997\/OpenSSL-Downgrades-Horror-Bug-After-Week-Of-Panic-Hype.html"},"modified":"2022-11-02T14:48:31","modified_gmt":"2022-11-02T14:48:31","slug":"openssl-downgrades-horror-bug-after-week-of-panic-hype","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/","title":{"rendered":"OpenSSL Downgrades Horror Bug After Week Of Panic, Hype"},"content":{"rendered":"<p>OpenSSL today issued a fix for a critical-turned-high-severity vulnerability that project maintainers warned about last week.&nbsp;<\/p>\n<p>After days of speculation, infosec professionals and armchair bug hunters received more of a trick than a treat on November 1: <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.openssl.org\/news\/vulnerabilities.html\">two CVE-tagged security issues<\/a>, both rated &#8220;high&#8221; severity, to patch. One flaw was earlier rated &#8220;critical,&#8221; though it has now been downgraded as it will require a high degree of technical skill to exploit, if that&#8217;s even possible at all against a realistic target.<\/p>\n<p>And now to be very clear: this isn&#8217;t a slam on the OpenSSL team. This drama isn&#8217;t their fault. Technically, the initially critical bug was arguably a critical issue as it&#8217;s a remote-code execution vulnerability albeit one that will be challenging to abuse.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>However, it&#8217;s not every day we&#8217;re warned of a critical flaw in OpenSSL \u2013 an important software library typically used by various apps and servers to encrypt data over networks and the internet \u2013 and so infosec vendors and blogs and influencers couldn&#8217;t help but hype it up, promising live feeds of pain and misery when details of the holes are revealed. And when those details were announced today, as planned, it all seemed a little overblown. That said, patches should be applied as necessary when able.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>As infosec guru Marcus Hutchins tweeted, it wasn&#8217;t worth the hand-wringing:<\/p>\n<blockquote class=\"twitter-tweet\" readability=\"9.448275862069\">\n<p lang=\"en\" dir=\"ltr\">Based on the technical details of the OpenSSL vulnerability, it theoretically could lead to RCE, but in practice it would be extremely unlikely or even impossible. On a 1-10 scale of was it worth the panic, I&#8217;d give it less than zero.<\/p>\n<p>\u2014 Marcus Hutchins (@MalwareTechBlog) <a href=\"https:\/\/twitter.com\/MalwareTechBlog\/status\/1587486298360598528?ref_src=twsrc%5Etfw\">November 1, 2022<\/a><\/p><\/blockquote>\n<p>Both bugs only affect a small subset of OpenSSL deployments: software using versions 3.0.0 (released September 2021) to 3.0.6. Apps, servers, and operating systems using those versions should upgrade to OpenSSL 3.0.7, which plugs the holes.<\/p>\n<p>The first vulnerability, tracked as CVE-2022-3602, can be exploited by a maliciously long email address in an encryption certificate to overflow four attacker-controlled bytes on the stack that crashes the application or server \u2014 or potentially leads to remote code execution (RCE) \u2014 but only after the certificate is validated. This would require &#8220;either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer,&#8221; according to the OpenSSL <a href=\"https:\/\/www.openssl.org\/news\/secadv\/20221101.txt\" rel=\"nofollow\">security advisory<\/a>.<\/p>\n<p>Thus a malicious app or server could send a specially crafted certificate, signed by a CA or otherwise accepted by the recipient, to a vulnerable server or client, and cause that target to crash or possibly gain control of it. Gaining control would involve somehow setting up the stack to use the overwritten bytes to hijack the flow of the program. Many platforms offer stack buffer overflow protections that would mitigate this risk of RCE, the OpenSSL advisory noted. Software should be built with stack buffer overflow detection in place. Not that much software is using OpenSSL 3 yet.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>And so, without jinxing ourselves, exploitation here is going to be limited.<\/p>\n<p>While the October 25 <a href=\"https:\/\/mta.openssl.org\/pipermail\/openssl-announce\/2022-October\/000238.html\" rel=\"nofollow\">pre-announcement<\/a> labeled this vulnerability as critical, the open source project team ultimately downgraded it to high based on the number of steps an attacker would need to take to achieve RCE.<\/p>\n<h3 class=\"crosshead\">&#8216;If the stars align&#8217;<\/h3>\n<p>&#8220;Actually exploiting this will be really really hard even for very competent exploit writers, and will require a large number of relatively unlikely scenarios to all align for the exploit writer for it to pan out,&#8221; <a href=\"https:\/\/twitter.com\/pwnallthethings\/status\/1587485922395815938\" rel=\"nofollow\">noted<\/a> security wizard Matt &#8216;Pwn All The Things&#8217; Tait, who shared an analysis of the flaw <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.pwnallthethings.com\/p\/is-openssl-wide-open\">here<\/a>.<\/p>\n<p>&#8220;That all said, if the stars do align, the attacker takes over the machine,&#8221; he added. &#8220;So don&#8217;t ignore it. Patch it for sure. But I also wouldn&#8217;t lose any sleep over it.&#8221;&nbsp;<\/p>\n<p>A key reason why the bug was initially labeled critical was that the OpenSSL team can&#8217;t guarantee people&#8217;s systems have the necessary protections in place to thwart the buffer overflow exploitation in this case, and so erred on the side of caution. We &#8220;have no way of knowing how every platform and compiler combination has arranged the buffers on the stack and therefore remote code execution may still be possible on some platforms,&#8221; the security team <a href=\"https:\/\/www.openssl.org\/blog\/blog\/2022\/11\/01\/email-address-overflows\/\" rel=\"nofollow\">said<\/a>.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Per the project&#8217;s <a href=\"https:\/\/www.openssl.org\/policies\/general\/security-policy.html\" rel=\"nofollow\">policy<\/a>, a bug can be considered critical if RCE is &#8220;likely in common situations.&#8221;&nbsp;<\/p>\n<p>However, during the pre-notification week, after looking at the technical details and receiving input from groups performing testing on the flaw, RCE no longer seemed likely in common situations, the security team said.&nbsp;This is why the team downgraded the vulnerability to high-severity on November 1, they added.<\/p>\n<p>There&#8217;s a second high-severity vulnerability, CVE-2022-3786, that OpenSSL fixed in version 3.0.7. Like the first bug, this one follows a similar path to exploit, and can trigger a buffer overrun leading to a crash, but again only after a certificate has been signed or accepted.<\/p>\n<p>&#8220;An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the &#8216;.&#8217; character (decimal 46) on the stack,&#8221; according to the security advisory. &#8220;This buffer overflow could result in a crash (causing a denial of service).&#8221;<\/p>\n<h3 class=\"crosshead\">Lesson learned?<\/h3>\n<p>While neither vulnerability should inspire <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2014\/04\/08\/running_openssl_patch_now_to_fix_critical_bug\/\" rel=\"noopener\">Heartbleed-level panic<\/a>, Tenable senior research engineer Claire Tills told <em>The Register<\/em> there are lessons to be learned from &#8220;pre-announcement and rampant nail biting&#8221; up to the OpenSSL release, which &#8220;revealed a couple of high severity flaws that are not easy to exploit and only affect a small subset of OpenSSL implementations.&#8221;<\/p>\n<p>&#8220;This is an opportunity for organizations to evaluate their response processes and understand what can be improved,&#8221; Tills said. &#8220;How difficult was it for them to determine which version of OpenSSL they had deployed, or whether any software on which they rely was vulnerable? Were their communication channels mature enough to get correct information to the people who needed it as soon as it was available?&#8221;<\/p>\n<p>To answer those questions, upgrade to the fixed OpenSSL version, if you&#8217;re using OpenSSL 3 \u2014 and then go have a drink to celebrate that this wasn&#8217;t as bad as we all feared. Oh, and of course, we should mention: there are alternatives to OpenSSL, such as Google&#8217;s BoringSSL which isn&#8217;t affected by this.<\/p>\n<p>For more details, <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.openssl.org\/blog\/blog\/2022\/11\/01\/email-address-overflows\/\">see the FAQ<\/a>. No exploitation or working exploit code has been observed in the wild. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/33997\/OpenSSL-Downgrades-Horror-Bug-After-Week-Of-Panic-Hype.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[10266],"class_list":["post-49141","post","type-post","status-publish","format-standard","hentry","category-packet-storm","tag-headlineflawpatchcryptography"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>OpenSSL Downgrades Horror Bug After Week Of Panic, Hype 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OpenSSL Downgrades Horror Bug After Week Of Panic, Hype 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-02T14:48:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/openssl-downgrades-horror-bug-after-week-of-panic-hype\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/openssl-downgrades-horror-bug-after-week-of-panic-hype\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"OpenSSL Downgrades Horror Bug After Week Of Panic, Hype\",\"datePublished\":\"2022-11-02T14:48:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/openssl-downgrades-horror-bug-after-week-of-panic-hype\\\/\"},\"wordCount\":1074,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/openssl-downgrades-horror-bug-after-week-of-panic-hype\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"keywords\":[\"headline,flaw,patch,cryptography\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/openssl-downgrades-horror-bug-after-week-of-panic-hype\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/openssl-downgrades-horror-bug-after-week-of-panic-hype\\\/\",\"name\":\"OpenSSL Downgrades Horror Bug After Week Of Panic, Hype 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/openssl-downgrades-horror-bug-after-week-of-panic-hype\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/openssl-downgrades-horror-bug-after-week-of-panic-hype\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2022-11-02T14:48:31+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/openssl-downgrades-horror-bug-after-week-of-panic-hype\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/openssl-downgrades-horror-bug-after-week-of-panic-hype\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/openssl-downgrades-horror-bug-after-week-of-panic-hype\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/openssl-downgrades-horror-bug-after-week-of-panic-hype\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,flaw,patch,cryptography\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlineflawpatchcryptography\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"OpenSSL Downgrades Horror Bug After Week Of Panic, Hype\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OpenSSL Downgrades Horror Bug After Week Of Panic, Hype 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/","og_locale":"en_US","og_type":"article","og_title":"OpenSSL Downgrades Horror Bug After Week Of Panic, Hype 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-11-02T14:48:31+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"OpenSSL Downgrades Horror Bug After Week Of Panic, Hype","datePublished":"2022-11-02T14:48:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/"},"wordCount":1074,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","keywords":["headline,flaw,patch,cryptography"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/","url":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/","name":"OpenSSL Downgrades Horror Bug After Week Of Panic, Hype 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2022-11-02T14:48:31+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y2Odf55-Y1tDptdW6VRTEwAAANQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/openssl-downgrades-horror-bug-after-week-of-panic-hype\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,flaw,patch,cryptography","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlineflawpatchcryptography\/"},{"@type":"ListItem","position":3,"name":"OpenSSL Downgrades Horror Bug After Week Of Panic, Hype"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=49141"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49141\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=49141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=49141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=49141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}