Skip to content
Tech Shizz Logo

An Engineers Blog

  • TechShizz
  • blog

OpenSSL version 3.0 releases 9.8 Critical Vulnerability – CVE-2022-3602

Posted on November 4, 2022November 15, 2022 By rich No Comments on OpenSSL version 3.0 releases 9.8 Critical Vulnerability – CVE-2022-3602
Cyber Security

On Tuesday, 25th of October 2022, OpenSSL announced an upcoming critical vulnerability in OpenSSL 3.0 that would be resolved in an update released on Tuesday, 1st of November 2022.

OpenSSL v3.0.7 was released on Tuesday, 1st of November, which patched two high-severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786.

Scope

The vulnerability only affects OpenSSL 3.0 – 3.0.6, so this vulnerability does not impact any systems using SSL 1 or 2.

OpenSSL 3 is commonly used in CentOS Stream 9, Ubuntu 22.04, Fedora 36, Fedora Rawhide and RHEL 9. If you have any web servers hosted on these operating systems, you should check to see if this patch is required.

Solution

Fortunately, the solution to this issue is to upgrade OpenSSL 3 to 3.07, which is relatively straight forward.

Executive Summary

If you’re in a technical, managerial position and need a simple breakdown of how to deal with this, I recommend the following steps.

  • Enumerate your environment and get a complete list of all hosts which use SSL 3.
  • If you have 3rd party software that relies on OpenSSL 3, contact your software vendor for support as soon as possible.
  • If you have a DevOps or Applications team, liaise with them to find out if OpenSSL 3 is being used anywhere else, but don’t take this as a certainty.
  • Consider running a credentialed vulnerability scan to identify OpenSSL 3 on any applications. It’s possible Developers have this installed on their company laptops for testing.
  • Schedule an urgent change to upgrade OpenSSL 3 to the latest version of 3.0.7
  • Any laptops identified with OpenSSL 3 with version 3.0.6 or earlier should be upgraded immediately to 3.0.7 or removed OpenSSL from laptops. Bear in mind laptops may be out on public networks, so these are an attack vector that may be overlooked.
  • Once you have confirmed OpenSSL has been upgraded everywhere, consider changes to internal processes on testing on local laptops. Investing in a UAT/Testing environment is preferable to allowing staff to install things on their machine for testing.
  • This does not impact SSL certificates.

Post navigation

❮ Previous Post: How to prevent and protect against an MFA Flood attack
Next Post: How to setup your first SecOps Incident Response Plan ❯

You may also like

Ransomware
Cyber Security
How to implement a lightning-fast ransomware playbook
November 25, 2022
September 2022 Exchange 0-day finally patched
Cyber Security
Microsoft finally patched serious Exchange 0-day over a month old!
November 9, 2022
MFA
Cyber Security
How to prevent and protect against an MFA Flood attack
November 3, 2022
Phishing
Cyber Security
How to implement a SecOps team phishing response plan
November 15, 2022

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Subscribe to our newsletter!

Recent Posts

  • How to implement a lightning-fast ransomware playbook
  • How to achieve defence in depth in your business
  • How to implement a SecOps team phishing response plan
  • How to block an Office 365 Sign-in correctly
  • Microsoft finally patched serious Exchange 0-day over a month old!

Recent Comments

    Archives

    • November 2022
    • July 2021
    • March 2021
    • February 2021

    Categories

    • Cyber Security
    • Uncategorized

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org

    Copyright © 2023 .

    Theme: Oceanly News Dark by ScriptsTown