On Wednesday morning 2nd November New Zealand time the OpenSSL Project announced two new high severity vulnerabilities (CVE) within its general-purpose cryptography library. OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols which is used in many Open Source and commercially available products and solutions.
It is estimated that 66% of all Web servers worldwide use OpenSSL to protect the HTTPS secure web service. The software is also used to protect secure email communications and other Internet services. The announcement can be found here.
CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. The CVE program is overseen by the MITRE corporation with funding from the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security.
The specific OpenSSL vulnerabilities that were disclosed on Wednesday, and have since been fixed with a software update, can be triggered by a buffer overrun during X.509 certificate verification. The OpenSSL project have classified these two vulnerabilities as ‘HIGH’. Even though there are no known exploits at this time which can be used to dismantle an organizations security posture, it is still possible to launch a denial-of-service attack with specifically crafted electronic communications.
OpenSSL Affected Libraries
However, not all OpenSSL libraries are born equal. The affected libraries are only the versions between 3.0.0 and 3.0.6.
The fix for all 3.0.x releases is provided in release 3.0.7. OpenSSL 3.0 was initially released on September 7th, 2021. OpenSSL libraries 1.x have been available for 12 years and are not affected by this issue.
To determine if affected systems require updating system administration personnel need to verify the version of the OpenSSL library deployed on a particular operating system. The National Cyber Security Center of the Netherlands (NCSC-NL) maintains a list of systems under investigation. At the time of this writing a total of 646 systems are being assessed. 79% of those have already been classified as being not vulnerable, which offers some relief.
About 6% of the systems investigated are classified as vulnerable and require patching. Among those systems affected are popular Linux distributions from Debian, Dockerhub, SUSE, and VMware.
The below table offers an overview of the progress to date (4th November 2022).