The OpenSSL project will issue a patch for a critical vulnerability on November 1st for its open-source security library, a rare event that application developers and system administrators need to pay attention to.
The last time OpenSSL issued a critical vulnerability patch was in 2016, researchers at Venafi noted, and this is just the second patch to be assigned a critical rating.
It isn’t known exactly what OpenSSL 3.0.7 fixes. The update notice doesn’t detail the vulnerability or vulnerabilities. That information will be included with the release.
OpenSSL is a command-line toolkit for Windows, Linux, and macOS used to generate private keys, create certificate signing requests, install SSL/TLS certificates, and identify certificate information. Briefly, it secures communications.
Action should be required more by system administrators than application developers, said Johannes Ullrich, dean of research at the SANS Technology Institute. Software using OpenSSL will typically just use the library installed in the operating system. However, there are some cases where developers bundle the library with their code, in which case they will need to update and distribute a new version of their code.
After “Heartbleed“, OpenSSL implemented pre-announcements like the one they issued this week, he said. This, he said, will hopefully give organizations a bit of time to get ready.
“First of all, it is important to identify systems that come with OpenSSL 3.0 installed,” Ullrich said. The operating system should offer an update at the time the vulnerability is made public. Be on the lookout for updates to Linux systems in particular. But OpenSSL may be used by others as well. MacOS does not come with OpenSSL by default, but instead uses the LibreSSL library. LibreSSL is not covered by the announcement. But I find that software installed on MacOS sometimes includes its own copy of OpenSSL.
“Different SSL/TLS implementations are often identifiable on the network. Each implementations has its own “Fingerprint” of options and ciphers it supports. You may be able to identify systems running OpenSSL 3.0 by inspecting these TLS fingerprints. Intrusion detection systems like Zeek can be used to collect the fingerprints.”
Mattias Gees, container product lead at Venafi, noted that OpenSSL versions prior to 3.0 are not impacted, and a lot of operating systems use OpenSSL 1.1, so these environments won’t be affected. “This knowledge will allow cybersecurity and operations teams to dismiss large sections of their infrastructure, and hopefully make the impact of this vulnerability smaller than initially expected. But platform engineering teams should keep investing in better auditing of their environments and their dependencies for the next threat, which is always just around the corner.”