OpenSSL Gives Heads Up to Critical Vulnerability Disclosure,
Check Point Alerts Organizations to Prepare Now

  • The OpenSSL project, the very basic element of the secured internet we all know, announced patching a critical severity security vulnerability
  • While details are yet to be shared, organizations are called to remain alerted and prepare to patch and update systems this coming Tuesday, November 1st
  • Because OpenSSL is so widely used, The potential magnitude of this vulnerability is enormous, hence the urgency to patch and update systems
  • Check Point Researchers are closely monitoring this evolving story and will update on new protections as soon as details become available.

To get immediate support from our Incident Response Team on the OpenSSL critical security vulnerability
CLICK HERE

OpenSSL

In an official statement, OpenSSL announce the forthcoming release of their latest version which will be released on Tuesday November 1st 2022 between 1300-1700 UTC.
This release is expected to contain a security fix to a CRITICAL security vulnerability, the highest level out there.

The OpenSSL Project defines a critical vulnerability as follows:
“CRITICAL Severity. This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.

While details of the vulnerability are unknown at this point we are calling organization to stay alerted towards the release and keep their systems patched and all protections up to date, until further details will be revealed.”

Which OpenSSL versions are vulnerable?

It’s important to note that version 3.x and above are the ones reported vulnerable

The expected release will be release of OpenSSL version 3.0.7.

Endpoint Email Blog

cloud compliance clearing audits

What is OpenSSL?

OpenSSL is a software library for applications that uses to secure communications over IT networks against info stealing, eavesdropping and the need for identification between parties. OpenSSL is what makes it possible to use secure Transport Layer Security (TLS) on Linux, Unix, Windows, and many other operating systems.

As basically most companies in the world depends on OpenSSL, this vulnerability is alerting and might turn into a massive event, if exploitations of hackers will start to surface around.

What can be the risk?

This vulnerability, if exploited, can have a threat actor take over a computer and disclose information gathered on it. Being so common this can mean a massive event. If a company uses OpenSSL on their website this will mean their code can be vulnerable.

cloud security compliance importance

infinity cloud network image

What can I do until further details are revealed?

Until further details will be revealed on Tuesday, we call out organizations to stay alerted and use security’s best practices such as keeping all systems patched and updated to latest operating systems while getting ready to update IPS protections once they’ll become available.

We also recommend understanding in details where within the organization OpenSSL is used and this can be done with SBOM(software bill of materials) which provides a detailed list of the company’s software components.

Doing so will allow prioritizing critical areas, and preparing towards the expected patch.

Check Point Researchers are keeping a close watch on this story and we will report back as development will become available

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK