Security
Headlines
HeadlinesLatestCVEs

Headline

Critical OpenSSL fix due Nov 1—what you need to know

Categories: News Tags: fix

Tags: bug

Tags: vulnerability

Tags: exploit

Tags: attack

Tags: patch

Tags: update

Tags: OpenSSL

Tags: v3

Tags: v1

Tags: 3.0.5.

Version 3.0.7 of OpenSSL will fix the software’s first critical issue for six years.

(Read more…)

The post Critical OpenSSL fix due Nov 1—what you need to know appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#mac#windows#ubuntu#linux#red_hat#rce#ssl

Posted: October 27, 2022 by

A fix for a critical issue in OpenSSL is on the way, announced in advance of its release on November 1, 2022, in a four hour window between 13:00 UTC and 17:00 UTC. The release, version 3.0.7, will address a critical vulnerability for all versions of the software starting with a 3. Versions starting with a 1 are unaffected. A separate release for that branch of the software, version 1.1.1, is scheduled for the same day but it is a bug fix and is not related to this issue.

This advance notice is designed to give a little time for organisations and individuals to get themselves ready for the upcoming critical update:

That’s our policy https://t.co/pNLA4Ce4yV to provide folks with a date they know to be ready to parse an advisory and see if the issue affects them. Given the number of changes in 3.0 and the lack of any other context information, such scouring is very highly unlikely.

— Mark J Cox (@iamamoose) October 26, 2022

This release has attracted a lot of attention because this is only the second time the OpenSSL team has marked an issue CRITICAL since it introduced its issue severity criteria in 2014.

OpenSSL only labels vulnerabilities as critical if they meet the following criteria:

This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.

The OpenSSL project describes its software as a "full-featured toolkit for general-purpose cryptography and secure communication"—a sort of cryptographic Swiss army knife. It is extremely widely used, either as a standalone application or embedded in other applications. Linux, FreeBSD, and macOS all come with some version of it, and it can be installed on Windows.

Version 3.0.0 was released just over a year ago, in September 2021. Version 1 remains much more widely used, but version 3 is used by a number of popular Linux distributions, including CentOS Stream 9, Red Hat Enterprise Linux 9 (RHEL 9), Ubuntu 22.10, Ubuntu 22.04 LTS, and Fedora Rawhide.

The Fedora Linux 37 release may be held up to include fixes for the vulnerability, and other responsible vendors are likely to move quickly to included updated versions in their software.

Heads up: we are very likely to slip the official Fedora Linux 37 release in order to integrate fixes for the upcoming critical openssl vulnerability. Official decision on this tomorrow.

— Matthew Miller (@mattdm) October 26, 2022

If you have access to a command line, you discover what version you are using by punching in:

openssl version

If you have OpenSSL installed, it will return the version number and release date. If your version number starts with a 3, this critical issue affects you. In addition to this check, you may need to dig around for non-standard installations, and you may be running software or appliances that include OpenSSL too. Keep an eye out for communications from your software suppliers, particularly those that supply Internet-facing software or hardware.

The only other OpenSSL issue with a CRITICAL rating was CVE-2016-6309 in 2016. The biggest OpenSSL issue of all though was Heartbleed, which predates OpenSSL’s severity criteria. Heartbleed allowed remote attackers to expose sensitive data and continued to cause problems years after the event. It exposed the Internet’s dependence on small and unfashionable projects run by volunteers, and spawned forks like LibreSSL and BoringSSL that attempted to clean up OpenSSL’s complex codebase.

We will update this post as additional important information comes to light.

RELATED ARTICLES

Related news

OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2017-3636: Oracle Critical Patch Update Advisory - July 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

Malwarebytes: Latest News

“Sad announcement” email leads to tech support scam