Security Advisory: Critical OpenSSL Vulnerability

user profile

On Tuesday, November 1st, OpenSSL is releasing a critical patch. Given the ubiquity of OpenSSL, rapid remediation will be imperative as attackers will attempt to exploit the vulnerability as quickly as possible. While details on the vulnerability are scarce, critical is OpenSSL’s highest severity level and is documented as:

“This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.”

The patch to OpenSSL 3.0.7 will secure all impacted 3.x versions. 

Cycode recommends the following remediation steps:

  1. Detect Vulnerable Instances: Determine where OpenSSL 3.x is leveraged across all software delivery pipelines.
  2. Document Deployment Locations: Determine where vulnerable versions of OpenSSL are deployed in production environments and document them. 
  3. Apply OpenSSL 3.0.7 Patch: When the patch becomes available on November 1st, apply it as quickly as possible.
  4. Confirm Comprehensiveness of Patching: Leverage the documented deployment locations to confirm all vulnerable instances have been secured.

To see how Cycode’s Next-Gen SCA: Pipeline Composition Analysis can help determine where OpenSSL 3.x exists in your pipeline and where it is deployed in runtime environments (e.g. which Kubernetes pods run OpenSSL 3.x) please request a Cycode demo here:

Originally published: October 29, 2022