Otto background

UPDATE: First OpenSSL Critical Vulnerability Since 2016

Update: Tuesday, November 1, 2022

On Tuesday, the OpenSSL project team released OpenSSL version 3.0.7 to fix two buffer overflow vulnerabilities that were alluded to in last week’s announcement. Both vulnerabilities have been downgraded to High from Critical, undoubtedly welcome news for admins who were preparing for the worst after the announcement last week.

While potentially serious, we believe both vulnerabilities, CVE-2022-3786 and CVE-2022-3602, are not likely to see widespread exploitation. Both vulnerabilities require the Certificate Authority (CA) to have signed a malicious certificate or for the application to continue with certificate verification despite failure to construct a path to a trusted issuer.

Of course, if you’re running OpenSSL 3.0+ on an internet-facing system, we’d recommend upgrading to version 3.0.7.

Tuesday, October 25, 2022, the OpenSSL project team announced that OpenSSL version 3.0.7 will be released on Tuesday, November 1. The release will include a fix for a critical, security-related vulnerability in OpenSSL versions 3.0 forward. This vulnerability may have existed since September of last year.

Vulnerabilities in popular libraries like OpenSSL are sometimes referred to as "long-tail" bugs. That’s because we often have to wait on third parties to patch their own products. Discovery is a longer project in situations like this because libraries like OpenSSL are often embedded at multiple points in various software supply chains.

Details are not yet available on the vulnerability (we’ll update them here when they are), though the OpenSSL team security policy indicates that critical severity issues generally affect common configurations which are also likely to be exploitable. We are expecting patches to be released on Tuesday, November 1.

What to do now about the OpenSSL vulnerability

There are three things I consider when dealing with a new vulnerability: severity, exploitability, and exposure. In this case, we know the severity is critical. We likely won't know how practical it is for an actor to exploit until more information is released on November 1. So the immediate task is to determine your exposure, in terms of where it is, how accessible it is, how critical it is, and how quickly patches can be applied once available.

To do that, we strongly recommend verifying OpenSSL versions across your environment to determine if you are affected. This is where Automox's simplified patching solution can be a critical win for your security and IT teams. Use your team’s time to discover vulnerable software in your environment and then let your patching solution take it from there.

Once a patch is available, the ability to automatically push it out and track compliance allows your team to focus on the analytics while letting the machines quickly accomplish the mundane final steps.

How to find out if you’re exposed to the OpenSSL vulnerability

If you’re an Automox user, simply search your Software Inventory for “OpenSSL” and review the versions present.

And again, if you have any version of OpenSSL version 3.0 and forward, you'll need to be ready to upgrade to 3.0.7 as vendor patches are released.

Start your free trial now.

Get started with Automox in no time.

Dive deeper into this topic