- November 1, 2022
- Posted by: administrator
- Category: Global Sign
This almost certainly affects your organization
A critical vulnerability has been discovered in current versions of OpenSSL and will need to be patched immediately. The OpenSSL Project will release version 3.0.7 on Tuesday, November 1st, 2022. This is a critical update that needs to be made immediately.
To unpack that for you a little bit, OpenSSL is a software library that is widely leveraged to enable secure network connections. And by widely leveraged, I mean almost completely ubiquitous, if you’re using HTTPS, chances are you’re using OpenSSL. Almost everyone is.
So, this is something almost everyone needs to be aware of.
OpenSSL is developed by the OpenSSL project, who advised on Wednesday, October 26th, that it was releasing a patch for a critical vulnerability the following Tuesday, November 1st.
Here’s how the OpenSSL Project defines a critical vulnerability:
“CRITICAL Severity. This affects common configurations, and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.”
As is pretty standard in these security situations, specifics are not available as to what the exact threat is or where the weakness may lie because they’re trying to avoid tipping off opportunistic bad actors that could exploit the vulnerability before it’s patched.
And the point of this notification isn’t to trigger panic, there’s no point panicking – this just requires vigilance.
Make sure that the correct stakeholders in your organization are aware of this vulnerability, its potential severity, and the new version of OpenSSL (3.0.7) arriving on November 1st.
If you are that individual, you need to check that you are indeed using OpenSSL (you are) and which version of it you’re using. Here’s the nuance, this affects version three, so if you’re running 3.0.6 or earlier (don’t admit to that) you’re going to need to patch this immediately.
If you’re using version 1.1.1, this vulnerability doesn’t affect you, but there is a 1.1.1 update coming on Tuesday as well, version 1.1.1s, which you’re still going to need to update to anyway so you might as well schedule some time on Tuesday, too.
Unfortunately, just how much time or how involved this update will be isn’t something the OpenSSL project has told us yet. Regardless, Tuesday is going to be an important day, as the longer you go before updating the longer your network will potentially be vulnerable.
GlobalSign is proud to be your trusted digital partner, we’re closely monitoring this situation and will continue to provide updates on the blog and via direct customer communication (email) if any further action is required.
NOTE: This article is copyright by globalsign.com and we are using it for educational or Information purpose only