OpenSSL version 3.0 releases 9.8 Critical Vulnerability – CVE-2022-3602

Posted on By rich No Comments on OpenSSL version 3.0 releases 9.8 Critical Vulnerability – CVE-2022-3602
Cyber Security

On Tuesday, 25th of October 2022, OpenSSL announced an upcoming critical vulnerability in OpenSSL 3.0 that would be resolved in an update released on Tuesday, 1st of November 2022.

OpenSSL v3.0.7 was released on Tuesday, 1st of November, which patched two high-severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786.

Scope

The vulnerability only affects OpenSSL 3.0 – 3.0.6, so this vulnerability does not impact any systems using SSL 1 or 2.

OpenSSL 3 is commonly used in CentOS Stream 9, Ubuntu 22.04, Fedora 36, Fedora Rawhide and RHEL 9. If you have any web servers hosted on these operating systems, you should check to see if this patch is required.

Solution

Fortunately, the solution to this issue is to upgrade OpenSSL 3 to 3.07, which is relatively straight forward.

Executive Summary

If you’re in a technical, managerial position and need a simple breakdown of how to deal with this, I recommend the following steps.

  • Enumerate your environment and get a complete list of all hosts which use SSL 3.
  • If you have 3rd party software that relies on OpenSSL 3, contact your software vendor for support as soon as possible.
  • If you have a DevOps or Applications team, liaise with them to find out if OpenSSL 3 is being used anywhere else, but don’t take this as a certainty.
  • Consider running a credentialed vulnerability scan to identify OpenSSL 3 on any applications. It’s possible Developers have this installed on their company laptops for testing.
  • Schedule an urgent change to upgrade OpenSSL 3 to the latest version of 3.0.7
  • Any laptops identified with OpenSSL 3 with version 3.0.6 or earlier should be upgraded immediately to 3.0.7 or removed OpenSSL from laptops. Bear in mind laptops may be out on public networks, so these are an attack vector that may be overlooked.
  • Once you have confirmed OpenSSL has been upgraded everywhere, consider changes to internal processes on testing on local laptops. Investing in a UAT/Testing environment is preferable to allowing staff to install things on their machine for testing.
  • This does not impact SSL certificates.

You may also like

Ransomware
Cyber Security
How to implement a lightning-fast ransomware playbook
November 25, 2022
September 2022 Exchange 0-day finally patched
Cyber Security
Microsoft finally patched serious Exchange 0-day over a month old!
November 9, 2022
MFA
Cyber Security
How to prevent and protect against an MFA Flood attack
November 3, 2022
Phishing
Cyber Security
How to implement a SecOps team phishing response plan
November 15, 2022

Leave a Reply

Your email address will not be published. Required fields are marked *