What you need to know about the latest critical OpenSSL vulnerability

Key takeaways:

There is a window to prepare for a rapid response on Tuesday, 01-Nov-2022 to address a critical OpenSSL vulnerability.

When is this useful?

Anyone running any type of system should be aware that this is coming as OpenSSL tends to be run by most web servers and any issue of this severity will be used in active exploit campaigns.

What you need to know about the latest critical OpenSSL vulnerability

OpenSSL is an open source project that powers most of the security communications and cryptography on the internet. It’s one of those critical projects you don’t hear much about…unless there’s a problem.

That’s the case this week as the project is a new version, 3.0.7, on Tuesday, 01-Nov-2022 to address a critical vulnerability.

How bad is the issue?

Honest answer? We don’t know. The OpenSSL project provided a heads-up of this issue via their mailing list and the details will be released alongside the patch on Tuesday, 01-Nov-2022.

This is a very considerate move by the project as it provides teams with a window to plan their response.

How widespread is this?

It has been confirmed that this vulnerability affects OpenSSL version 3.0.0 through 3.0.6. Earlier versions are not impacted.

This means any Linux distribution or server software using the latest versions will be impacted. OpenSSL 3.0.0 was released in September of 2021, so old systems may not be impacted.

The SANS Internet Storm Center has compiled a list of common Linux distributions and their corresponding default OpenSSL version.

What should I do right now?

Until further details are released, you should take this opportunity to inventory your systems, looking for any that are running affected OpenSSL versions.
This inventory list will help you plan out your remediation steps when the update is released on Tuesday. We know that the vulnerability is rated critical by the project.

That rating means it affects common configurations and is likely to be exploited. This is the highest severity rating the project has.

Previous examples like HeartBleed have had a significant impact across the internet.

How Lacework can help

Lacework customers can search for vulnerable versions of OpenSSL ahead of the release by following the instructions given when logging into their console.

Stay tuned

Knowing something bad is coming but not what seems frustrating. In this case, it’s actually a good thing.

The type of workflow for serious vulnerabilities is that we learn about them either when a patch is issued or when they are being actively exploited. Getting a heads up that an upcoming update addresses a significant security risk provides a window that you can use to prepare your response.

While we all hope this isn’t as significant as previous critical vulnerabilities, it’s wise to prepare for the worst. We will update this post as we learn more.

Article Link: What you need to know about the latest critical OpenSSL vulnerability | Lacework Labs