New OpenSSL vulnerabilities – released 01/11/2022
You may have heard of the recently released (1/11/2022) OpenSSL vulnerabilities which are getting a lot of attention. The media and hype around the release has similar connotations to the log4j issue. The build-up to the release has been building tension as IT admins worry about the impact of the release and how much danger the systems they manage are in.
OpenSSL is the security layer used by a vast amount of software, including web sites and some desktop software to create the secure encryption needed for the modern world. It’s what powers most of the websites to get the padlock in the address bar and so the potential for impact from this release was incredibly high.
However now the details have been released the panic is much reduced.
Firstly, the number of actually vulnerable versions in the wild is relatively low. This affects a relatively narrow range of OpenSSL: only versions 3.0.0 to 3.0.6 so the range of servers and applications affected is much lower than initially anticipated. Secondly, the way the vulnerability works means the method to be exploited is convoluted and would indicate other serious problems already in existence.
“Exploiting this vulnerability requires quite a bit of set up and a number of factors to fall into place before it could be leveraged. Organizations should perform analysis to see if they are impacted, although there are relatively limited affected systems, as the attack primarily impacts the client-side, not the server.” commented Victor Wieczorek, VP of App Sec, Threat & Attack Simulation at GuidePoint Security.
VMhosts will be monitoring the situation for our customers and patching software as appropriate. If you need any help or support with this issue or any other issues, please reach out to us on 012223 919254.