New OpenSSL vulnerability threatens public services
The OpenSSL Project team has announced that on November 1st 2022, it will release a new version of OpenSSL which will fix a critical vulnerability just discovered in the popular open-source cryptographic library.
OpenSSL enables TLS encrypted communications mostly in internet facing web services, and is included in everything from operating systems, business applications to web server software (Apache, nginx, etc.) and various network appliances from vendors such as Cisco, Fortinet, Symantec, Juniper, etc.
The new vulnerability reminds many of the catastrophic Heartbleed bug discovered in 2014 that forced many to scramble for patching, as the vulnerability enabled attackers to discover sensitive information such as passwords and secrets, without any user interaction.
There are several good news this time. First, the OpenSSL Project team has decided not to publish the vulnerability details in order to allow for the fixed version to be widely deployed before attackers figure ways to exploit the bug.
Second, the new vulnerability appears to affect only OpenSSL versions 3.0 and above, which are less prevalent in customer deployments than earlier versions.
Nevertheless, it still means organizations will need to carefully scan all their assets to discovery potentially vulnerable systems, which requires lots of time and resources. As when other public services are found to be vulnerable (for ex. Microsoft Exchange), organizations that opt for managed or SaaS services are in a much better position. Running your own servers in a DIY fashion is becoming increasingly difficult in today's threat landscape.
As the OpenSSL team usually notifies directly organizations with which the project has a commercial relationship, it can be assumed that providers of commercial solutions, especially SaaS or managed services are already implementing the fix, or will do it much faster than organizations with in-house servers with incomplete IT inventories.
Furthermore, on-premise equipment from vendors such as Cisco Ironport, Symantec, F5 Networks and many others will also be likely impacted, and will therefore need manual intervention.
In any case, get ready for patching on November 1st and find out more on the latest OpenSSL vulnerability here.