WHAT YOU SHOULD KNOW: Patch OpenSSL 3.x

Vulnerability Fatigue
Blog

WHAT YOU SHOULD KNOW: Patch OpenSSL 3.x

On October 25th 2022 the OpenSSL project team announced OpenSSL v.3.0.7: a CRITICAL security-fix release. This is only the second time that the OpenSSL project addressed a CRITICAL vulnerability. The last time yielded the costly Heartbleed (CVE-2014-0160).

We have no information except that: “This release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC.”

So, what now, at least until Patch Tuesday when the undisclosed flaw is revealed?  We answer some of your most pressing questions below starting from the basics. 

Q: What is OpenSSL?
A: If you’re using HTTPS, you’re most likely using OpenSSL. OpenSSL implements TLS and SSL—popular cryptographic protocols that enable most web communications to be confidential, secure, and resilient. Almost everyone using the web is using OpenSSL.

Q: What are OpenSSL Vulnerabilities?
A: OpenSSL vulnerabilities are bugs, misconfigurations, and flaws in the OpenSSL program that enable a wide range of TLS attacks like remote execution, eavesdropping, spoofing, etc. 

Q: Is Patch OpenSSL 3.x serious? Why should I care?
A: The OpenSSL definition of critical is as follows: 

  • CRITICAL Severity: “This affects common configurations, and which are also likely to be exploitable.” 

This is the highest rated severity that OpenSSL aligns to a vulnerability. We should care. 

If history teaches us anything (e.g., Heartbleed: CVE-2014-0160), vulnerabilities categorized as CRITICAL have resounding effects. Heartbleed yielded some significant data losses since it was found, and still exists in many systems today.

Q: Why was this vulnerability announced a week early without a patch? Won’t it give attackers time to find the vulnerability?
A: No. According to Mark J. Cox, a Red Hat Distinguished Software Engineer and the Apache Software Foundation (ASF)’s VP of Security: “Given the number of changes in 3.0 and the lack of any other context information, such scouring is very highly unlikely.”

Q: Does Patch OpenSSL 3.x have a CVE ID?
A: No. OpenSSL will publish CVE ID(s) for Patch OpenSSL 3.x in the to-be-released advisory. We write CVE ID(s) because there may more than one issue in the pending advisory. 

Q: What OpenSSL versions will this update affect?
A: The update will only affect OpenSSL 3.0.x. OpenSSL 1.1.1 will NOT be affected.

Q: What OpenSSL version does my OS have?
A: SANS published a quick and helpful list on this. 

Q: What should I do in the meantime?
A: You should immediately maintain an inventory of all systems, servers, and certificates using OpenSSL and the versions used. If you ready yourself now with the knowledge of where you are using OpenSSL 3.0+ and how you are using it, then you can quickly determine your risk profile in reference to the advisory CVE ID(s) and what you need to patch. 

Though of lesser importance comparative to time and urgency, outdated OpenSSL versions should be upgraded to at least OpenSSL v.3.0.5. On Tuesday, we should expect updates on OpenSSL v.1.1.1 which will inevitably require updates. Outstanding vulnerabilities in older versions like memory corruption and other implementation flaws are still risks not worth the hassle. 

Lastly, all stakeholders in your organization should be aware of this vulnerability as it develops. We don’t know how involved nor now taxing on Security this update will be. But as a wise man once said and we echo: if you fail to prepare, you prepare to fail.