Creating Business Advantage

Patching OpenSSL 3.x Vulnerabilities

Written by Joerg Micheel | Nov 7, 2022 12:14:00 AM

On Wednesday morning 2nd November New Zealand time the OpenSSL Project announced two new high severity vulnerabilities (CVE) within its general-purpose cryptography library. OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols which is used in many Open Source and commercially available products and solutions.

It is estimated that 66% of all Web servers worldwide use OpenSSL to protect the HTTPS secure web service. The software is also used to protect secure email communications and other Internet services. The announcement can be found here.

CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. The CVE program is overseen by the MITRE corporation with funding from the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security.

The specific OpenSSL vulnerabilities that were disclosed on Wednesday, and have since been fixed with a software update, can be triggered by a buffer overrun during X.509 certificate verification. The OpenSSL project have classified these two vulnerabilities as ‘HIGH’. Even though there are no known exploits at this time which can be used to dismantle an organizations security posture, it is still possible to launch a denial-of-service attack with specifically crafted electronic communications.

OpenSSL Affected Libraries

However, not all OpenSSL libraries are born equal. The affected libraries are only the versions between 3.0.0 and 3.0.6.

The fix for all 3.0.x releases is provided in release 3.0.7. OpenSSL 3.0 was initially released on September 7th, 2021. OpenSSL libraries 1.x have been available for 12 years and are not affected by this issue.

To determine if affected systems require updating system administration personnel need to verify the version of the OpenSSL library deployed on a particular operating system. The National Cyber Security Center of the Netherlands (NCSC-NL) maintains a list of systems under investigation. At the time of this writing a total of 646 systems are being assessed. 79% of those have already been classified as being not vulnerable, which offers some relief.

About 6% of the systems investigated are classified as vulnerable and require patching. Among those systems affected are popular Linux distributions from Debian, Dockerhub, SUSE, and VMware.

The below table offers an overview of the progress to date (4th November 2022).

Status

Number

Percent

Vulnerable

39

6%

Fix

25

4%

Workaround

1

0%

Not vulnerable

513

79%

Investigation

68

11%

Total

646

100%

 

An alternative way of identifying affected software is through the software-bills-of-material (SBOM) and identifying where the vulnerable OpenSSL libraries are used and running. This can, for example, be achieved using Aqua Security’s Supply Chain Security (SCS):

An open-source alternative is to use to use the trivy scanner, as demonstrated in this blog.

Please contact OSS Group if you are looking for assistance with assessing your vulnerability status or need help patching potentially affected server systems.