November 2, 2022
The open-source cryptographic library is an industry-standard found in an enormous range of applications.
In late October, the OpenSSL Project announced it would release a patch for a critical security vulnerability on November 1st, 2022. The organization did not share any details about the vulnerability itself, other than the fact that it impacts all OpenSSL versions 3.0 and above.
OpenSSL Version 3.0.7 is now released.
SSL/TLS communication is a basic element of the secured Internet, and OpenSSL is a popular open-source implementation of that protocol. It is used by operating systems and network-enabled applications across the board.
Any vulnerability in the OpenSSL framework will impact organizations of all sizes, spanning every industry. Patching the latest OpenSSL version as quickly as possible is highly recommended.
What Do We Know About the OpenSSL Vulnerability?
Not much. As of October 31st, the vulnerability has not yet been assigned a CVE number.
The OpenSSL Project has declined to share data about the vulnerability pending its release of the 3.0.7 patch. This decision temporarily protects potential victims from opportunistic cybercriminals who may exploit it before the patch is available.
OpenSSL’s categorization of the issue indicates that the vulnerability impacts common configurations and may be exploitable. A critical issue may lead to significant disclosure of server memory contents, reveal user details, or allow attackers to compromise private keys.
Why Organizations Must Prioritize the OpenSSL Patch
OpenSSL declined to share any information about the vulnerability prior to releasing the 3.0.7 patch. This forces potential attackers to try and discover it on their own, which requires significant time and resources.
After the patch becomes public, that’s no longer the case. Threat actors can identify the vulnerability by looking at the patch changes.
Cybercriminals are known to attack organizations that delay implementing critical vulnerability patches. Taking advantage of the gap between disclosure and implementation has proven to be a successful tactic for years. There is no reason to believe the OpenSSL vulnerability will be any different.
That means that starting on November 1st, cybercrime groups will likely download the OpenSSL 3.0.7 patch, identify the vulnerability it fixes, and scan for organizations that haven’t updated in time.
Start by Checking Which Version of OpenSSL You Run
The critical vulnerability only impacts OpenSSL version 3.0 and later. This version was released on September 7th, 2021, so any instance of OpenSSL older than that will not be affected. OpenSSL is available for Windows, Linux, and MacOS, and you can check your installed version through the operating system’s command line by running this code:
openssl version –a
Linux Ubuntu 22.04, Fedora 36, RHEL 9, and MacOS Ventura come with OpenSSL 3.0. Container images built with impacted operating systems will be impacted, as well. Both Node.js 18 and Node.js 19 use OpenSSL 3.0. Enterprise developers building applications in C or C++ may also incorporate OpenSSL 3.0 in their code.
Security leaders will have to systematically check every instance of OpenSSL 3.0 running throughout the organization and ensure each one is updated to the latest version. This may require prioritizing external-facing systems and mission-critical applications first, then moving on to servers hosting shared services before updating all other impacted systems.
This is a developing story. It will be updated once details on the OpenSSL vulnerability are made public.