The OpenSSL project team will release a new version of the OpenSSL library (version 3.0.7) on Tuesday to address a critical vulnerability in version 3.0 to 3.6 of the widely used open source, command-line toolkit [296 words].
Four key things to know:
Impact will likely be wide: The OpenSSL team rates a vulnerability as “Critical” only if it affects common configurations, is remotely exploitable and leads to outcomes like disclosure of the contents of server memory, compromise of server private keys or remote code execution.
But it could have been worse: The vulnerability only affects the v3 branch of OpenSSL and not the much more widely used v1 branch. Among the Linux distros using the affected version are CentOS 9, Ubuntu 22.04, Fedora 9, Fedora Rawhide, Kali 2022.3, RedHat ES9 and OpenMandriva 4.3.
The vulnerability might be easy to trigger but hard to weaponize: Security vendor Horizon3.ai thinks that threat actors will likely need to make some serious investment and spend considerable time to be able to weaponize the new vulnerability.
Prepare now: Organizations should identify if they are affected, and if so, figure which applications might be using affected OpenSSL versions, and where else in their technology stack it might be embedded. Use the openssl command line utility to determine the version of OpenSSL you are using,
Determine if any vulnerable assets could be exposed or offer a path for targeting other systems. A software composition analysis (SCA) can help organizations identify the suppliers and vendors they may need to contact to get updates.
For more:
Horizon3.ai: OpenSSL Critical Vulnerability: Should You Be Spooked?
SANS: Upcoming Critical OpenSSL Vulnerability: What will be Affected?
OpenSSL alert: Forthcoming OpenSSL Releases
