30/10/2022
Highlights:
-
The OpenSSL project, the very basic element of the secured internet we all know, announced patching a critical severity security vulnerability
-
While details are yet to be shared, organizations are called to remain alerted and prepare to patch and update systems this coming Tuesday, November 1st
-
Because OpenSSL is so widely used, The potential magnitude of this vulnerability is enormous, hence the urgency to patch and update systems
-
Check Point Researchers are closely monitoring this evolving story and will update on new protections as soon as details become available
Background
In an official statement last Tuesday, the OpenSSL project team announced the forthcoming release of their next version which will be released on Tuesday November 1st 2022 between 1300-1700 UTC.
This release is expected to include a fix for a CRITICAL security vulnerability.
The OpenSSL Project defines a critical vulnerability as follows:
“CRITICAL Severity. This affects common configurations and which are also likely to be exploitable…”
While exact details of the vulnerability are still unknown at this point, we are calling organizations to stay alerted towards the release; and keep their systems patched and all protections up to date, until further details are revealed.
Which OpenSSL versions are vulnerable?
OpenSSL versions 3.0 and above are the ones reported vulnerable.
OpenSSL version 3.0.7 is expected to be the coming release, and should include the fix for the critical vulnerability.
What is OpenSSL?
OpenSSL is a commonly used code library designed to allow secured communication over the internet. Simply put, whenever we browse the internet, the website we browse or the online service we access utilizes OpenSSL at its very basic level.
Which means, on Tuesday morning we will all need to be very alert to what the OpenSSL project team will release. It is expected to touch broad aspects of our common usage of the internet.
What can be the risk?
While we would have to wait till November 1st to get details of what the vulnerability is all about, it might include information disclosure of private keys or user information. In either case, it would undermine the very foundation of the encrypted sessions we all enjoy with so many services today. Being so common this can mean a massive event.
What can I do until further details are revealed?
In the meantime, organizations should stay alert and utilize security’s best practices, including patching and updating all systems to the latest operating system, and getting ready to update IPS once they become available.
We also recommend understanding in details where within the organization OpenSSL is used and this can be done with Software Bill of Materials (SBOM), which provides a detailed list of the company’s software components.
Doing so will allow prioritizing critical areas, and preparing for the expected patch.
Check Point Researchers are keeping a close watch on this story and we will report back as development becomes available
Emergency Response Hotline
At any given moment, if you feel you’ve been breached or under attack contact our Emergency Response Hotline
In addition our worldwide Technical Assistance Centers are available to assist you 24 x 7.