Audience for this post: System administrators, IT staff, and staff members responsible for maintaining IT systems
We will continue to update this post with news and links to resources to help you prioritize your remediation efforts as more information becomes available.
OpenSSL has published a blog post about the vulnerabilities. The “critical” rating as been downgraded to high.
Their advice:
“We still consider these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible.”
More details from their blog:
- Users of OpenSSL 3.0.0 – 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible.
- We are not aware of any working exploit that could lead to remote code execution, and we have no evidence of these issues being exploited as of the time of release of this post.
- New applications should be developed to use the latest version of OpenSSL 3.0 (currently 3.0.7). Existing applications using OpenSSL 3.0 should upgrade to 3.0.7 as soon as possible. Existing applications using OpenSSL 1.1.1 are not affected by these issues. However we always recommend using the latest version (1.1.1s). OpenSSL 1.1.1 is supported until 11th September 2023. Users of older versions of OpenSSL (such as 1.0.2) are encouraged to upgrade to OpenSSL 3.0. There was no release of OpenSSL 2.
Summary
Last week, the OpenSSL Project announced a “critical” vulnerability in versions 3.0 and above of their ubiquitous cryptographic library for encrypting communications on the Internet. Tomorrow, Tuesday, Nov. 1, the project will release a new version of OpenSSL (version 3.0.7) that will patch an as-yet-undisclosed flaw in current versions of the technology.
Here is everything we know about the vulnerability we know so far:
- OpenSSL version 3 is relatively new and has seen gradual adoption. Many software applications still use OpenSSL v1 which is not affected.
- The vulnerability affects Ubuntu 22.04 and later, RHEL 9, CentOS, and likely other Linux distributions. (https://access.redhat.com/solutions/6982111)
- OpenSSL is widely used as a software dependency and is frequently embedded in device firmware. Check with software vendors, particularly for IoT and network devices, to see if you are affected and when to expect a patch.
- LibreSSL (used by Apple in macOS) is not vulnerable:
- System reboots may be required to cause all daemons to pick up the upgraded dependency.
Best Practices
- Subscribe to security announcements for all vendors of software in your environment.
- OpenSSL is used by many programs, so it will be challenging to determine everywhere it is in use.
- Expose services to the internet only where required. (Read more: Risk Mitigations for Devices on UW Networks)
- Apply updates regularly, and enable automatic updates whenever possible.
Resources and References
(Note: links to vendor websites are not an endorsement of their products)
Sophos’ Naked Security blog: The OpenSSL security update story – how can you tell what needs fixing?
OpenSSL: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
Bleeping Computer: OpenSSL fixes two high severity vulnerabilities, what you need to know
Ubuntu: USN-5710-1: OpenSSL vulnerabilities
SANS: Critical OpenSSL 3.0 Update Released
Dazz: OpenSSL critical vulnerability – what is affected?
Red Hat: OpenSSL October, 2022 critical issue
Office of Information Security: Transport Layer Security Risk Advisory