On Tuesday, 25th of October 2022, OpenSSL announced an upcoming critical vulnerability in OpenSSL 3.0 that would be resolved in an update released on Tuesday, 1st of November 2022.
OpenSSL v3.0.7 was released on Tuesday, 1st of November, which patched two high-severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786.
Scope
The vulnerability only affects OpenSSL 3.0 – 3.0.6, so this vulnerability does not impact any systems using SSL 1 or 2.
OpenSSL 3 is commonly used in CentOS Stream 9, Ubuntu 22.04, Fedora 36, Fedora Rawhide and RHEL 9. If you have any web servers hosted on these operating systems, you should check to see if this patch is required.
Solution
Fortunately, the solution to this issue is to upgrade OpenSSL 3 to 3.07, which is relatively straight forward.
Executive Summary
If you’re in a technical, managerial position and need a simple breakdown of how to deal with this, I recommend the following steps.
- Enumerate your environment and get a complete list of all hosts which use SSL 3.
- If you have 3rd party software that relies on OpenSSL 3, contact your software vendor for support as soon as possible.
- If you have a DevOps or Applications team, liaise with them to find out if OpenSSL 3 is being used anywhere else, but don’t take this as a certainty.
- Consider running a credentialed vulnerability scan to identify OpenSSL 3 on any applications. It’s possible Developers have this installed on their company laptops for testing.
- Schedule an urgent change to upgrade OpenSSL 3 to the latest version of 3.0.7
- Any laptops identified with OpenSSL 3 with version 3.0.6 or earlier should be upgraded immediately to 3.0.7 or removed OpenSSL from laptops. Bear in mind laptops may be out on public networks, so these are an attack vector that may be overlooked.
- Once you have confirmed OpenSSL has been upgraded everywhere, consider changes to internal processes on testing on local laptops. Investing in a UAT/Testing environment is preferable to allowing staff to install things on their machine for testing.
- This does not impact SSL certificates.