critical vulnerability (CVE-2022-3786, CVE-2022-3602) was discovered in OpenSSL, a popular open source cryptography library that many applications, operating systems and websites use to secure communications via Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
OpenSSL version 3.0.0 is affected. Version 3.0.7, which is now available,
to be released between 13:00-17:00 UTC (9 am – 1 pm ET) will fix the issue, according to the OpenSSL team. The vulnerability primarily affects clients rather than servers.
Update 11/1 @ 1:30 PM ET: The vulnerability rating was downgraded to high.
How Bad is This?
Technical details are not yet released, but the OpenSSL project provides some information on what it considers high:
“This includes issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control.”
This is not the first OpenSSL vulnerability; in 2014, Heartbleed (CVE-2014-0160) affected thousands of web servers, enabling attackers to access the parts of OpenSSL’s memory that should be private — which could include SSL private keys.
It is currently not yet clear whether this vulnerability will have the impact that Heartbleed did, but some experts are speculating that it will be similar or worse.
What Should I Do?
Prioritize patching as soon as OpenSSL version 3.0.7 is made available — it is now available
between 13:00-17:00 UTC (9 am – 1 pm ET). The OpenSSL Git repository should have the latest version at https://github.com/openssl/openssl or https://www.openssl.org/source/.
Users wondering what to patch first should follow this prioritization list below:
- External-facing machines that can be reached via the internet.
- Systems that host shared services amongst multiple users.
- All other affected hosts.
How To Detect
OpenSSL provides a command line utility and a quick query will return the results of your SSL library running on any device:
% openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
The example shows a vulnerable version of OpenSSL. This device will require an update to 3.0.7.
You can also check this list to see whether a vendor is vulnerable or not.
Alternatively, you can check your vulnerability scanner results and/or next-generation endpoint protection tools such as SentinelOne, Crowdstrike, etc. for affected devices on your network that have the endpoint agent installed.
For all other non-standard installations of OpenSSL, keep an eye out for software vendors to provide details on updating their application software that runs on OpenSSL.
Sign Up For Your Free Account
Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
Blumira’s free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.