So the latest OpenSSL version in the 3.0 release has a fix which is version 3.0.7 which will address a critical vulnerability in the 3.x versions. (so if you are using 2.x you are ok for now). OpenSSL is the open source implementation of SSL and TLS secure communication protocols.
MalwareBytes Blog had a post on Oct 27th
(that was last week — UPDATE on Nov7th see at bottom)
Also at securityaffairs.co a post(July 7th) OpenSSL version 3.0.5 fixes a flaw that could potentially lead to RCE(Remote Code Execution):
So this has been around for a while now (3 or 4 months at least)
Why are we in this spot? because OpenSSL 3.0.5 introduced a serious bug in a cryptographic implementation. This means some applications which require cryptography and use OpenSSL with private keys and 2048 bit RSA implementation could cause a memory corruption which creates a weakness that an attacker could exploit.
“SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.”
The big question is how does one know if one has software that has OpenSSL?
Obviously the easy item is if one installed OpenSSL then you know what you have.
But what if you did not install? How can you make sure that the software on your systems have OpenSSL version that is vulnerable?
So the old adage applies, one must do an inventory of all hardware and software. And then test with a vulnerability scanner to find out if one has vulnerabilities that would cause problems. And since this issue first hit around 3 months ago the fix is finally in.remember my explanation of patching bug found to patched safe(it takes weeks and some of that time one is vulnerable):
Get my book to see these principles: “Too Late You’re Hacked”
Which should lead you to create a patching program in your environment.
Nov 7th Update this post: https://words.filippo.io/dispatches/openssl-punycode/
Shows that more research means that the OpenSSL issue is actually a high vulnerability not critical.
A high vulnerability just means you should update but you can take a little more time to do it.
No one said cybersecurity is easy? right?