To get immediate support from our Incident Response Team on the OpenSSL critical security vulnerability
CLICK HERE
In an official statement, OpenSSL announce the forthcoming release of their latest version which will be released on Tuesday November 1st 2022 between 1300-1700 UTC.
This release is expected to contain a security fix to a CRITICAL security vulnerability, the highest level out there.
The OpenSSL Project defines a critical vulnerability as follows:
“CRITICAL Severity. This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.
While details of the vulnerability are unknown at this point we are calling organization to stay alerted towards the release and keep their systems patched and all protections up to date, until further details will be revealed.”
It’s important to note that version 3.x and above are the ones reported vulnerable
The expected release will be release of OpenSSL version 3.0.7.
OpenSSL is a software library for applications that uses to secure communications over IT networks against info stealing, eavesdropping and the need for identification between parties. OpenSSL is what makes it possible to use secure Transport Layer Security (TLS) on Linux, Unix, Windows, and many other operating systems.
As basically most companies in the world depends on OpenSSL, this vulnerability is alerting and might turn into a massive event, if exploitations of hackers will start to surface around.
This vulnerability, if exploited, can have a threat actor take over a computer and disclose information gathered on it. Being so common this can mean a massive event. If a company uses OpenSSL on their website this will mean their code can be vulnerable.
Until further details will be revealed on Tuesday, we call out organizations to stay alerted and use security’s best practices such as keeping all systems patched and updated to latest operating systems while getting ready to update IPS protections once they’ll become available.
We also recommend understanding in details where within the organization OpenSSL is used and this can be done with SBOM(software bill of materials) which provides a detailed list of the company’s software components.
Doing so will allow prioritizing critical areas, and preparing towards the expected patch.
Check Point Researchers are keeping a close watch on this story and we will report back as development will become available