OpenSSL 3.0 Critical Vulnerabilities: Should You be Spooked?

By: Sarabjeet Chugh

Nov 1 2022

Don’t be. Act now—use Panoptica to scan for OpenSSL vulnerabilities for free.

On November 1, the OpenSSL Project team released a critical patch for OpenSSL 3.0. The patch—OpenSSL 3.0.7—will fix this vulnerability in the library affecting OpenSSL versions 3.0.0 through 3.0.6, as well as any application with an embedded, impacted OpenSSL library, the team announced.

OpenSSL secures Transport Layer Security (TLS) on Linux, Unix, Windows, and many other operating systems. It's also used to secure almost every router, switch, networking, communication application, and device on the market.

This new vulnerability is a big deal, since the ubiquitous use of OpenSSL (which is even more pervasive than Java) could affect even more systems than Log4j. It’s important to get ahead of flaws like these to avoid inevitable exploits that could compromise your production systems.

If you're ready to take immediate action, you can use Panoptica, our cloud-native application security platform, free for the next 45 days to scan an unlimited number of containers, Kubernetes pods, and serverless functions to detect any OpenSSL 3.0 vulnerabilities and automatically prioritize patching of workloads based on risk.

Mark Cox, the Apache Software Foundation (ASF)'s VP of Security, tweeted this:

Mark_j_Cox

Just how severe is a “critical” fix?

According to OpenSSL security policy, an issue of critical severity both affects common configurations and is likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities that can be easily exploited remotely to compromise server private keys, or where remote code execution is considered likely in common situations. In other words—these fixes are designed to address everything you don't want to happen on your production systems or your users’ previous data!

This one could be a lot worse. We can only hope it's not as bad as that granddaddy of all open source security holes—2014's Heartbleed (CVE-2014-0160), one of the most infamous vulnerabilities ever—which was estimated to have affected over 42% of organizations worldwide. It exposed sensitive secrets and private keys that were supposed to be protected by SSL/TLS. The vulnerability devastated many organizations, caused thousands of websites to go down, and took months to remediate.

This critical fix impacts new versions of Linux, such as Ubuntu 22.04, CentOS 9, Fedora 9, and RHEL 9.x, which include OpenSSL v3 in their distributions.

But don’t despair—act now to protect your production systems against the next Heartbleed or worse attack.

security_l

How should security teams prepare?

As security teams and organizations prepare to patch the OpenSSL hole with v 3.0.7, you’ll probably have two burning questions:

  1. Is my environment exposed to this vulnerability?
  2. If so, what can I do right now to protect the points of vulnerability?

Our commercial SaaS product, Panoptica, can help you answer these questions and help prevent sprawling ramifications for your user’s data and mission-critical systems. Free for the next 45 days, Panoptica scans all your Kubernetes deployments and serverless applications for vulnerable versions of OpenSSL—identifying, prioritizing, and patching your critical systems against this looming threat.

Here’s how:

  • It identifies all vulnerable workloads running on containers and Kubernetes environments on premises (OpenShift, Rancher, Docker, VMware Tanzu) or in one or more clouds (AWS, GCP, and Azure) by detecting OpenSSL packages.
  • It creates a risk-based prioritization decision by considering the overall risk of each individual workload, helping you focus remediation efforts on the workloads that face the greatest risk.

Don’t delay. Act now.

For a limited time, sign up for Panoptica here, and scan an unlimited number of containers, Kubernetes pods, and serverless functions to detect any OpenSSL 3.0 vulnerabilities and automatically prioritize patching of workloads based on risk—free of charge. Or simply contact us and we will help you set up Panoptica to quickly scan your environment for this risk, at no charge.