Updated (October 27th, 2022): List of vendors and software affected by the OpenSSL vulnerability here.
Critical OpenSSL Vulnerability version 3.0 and above: OpenSSL has just announced a critical vulnerability in version 3.x. This access vulnerability requires access to private keys and/or risks remote machine access (RCE). Vulnerabilities that can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. The patched version 3.0.7 will be released on November 1st following OpenSSL. OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC. Does not affect versions before 3.0.
The highest severity issue fixed in this release is CRITICAL.
This will be OpenSSL’s first “CRITICAL” vulnerability since 2016. Examples of “CRITICAL” vulnerabilities include “significant disclosure of the contents of server memory (potentially revealing user details).
What is OpenSSL?
The OpenSSL library is an open-source implementation of the SSL and TLS cryptographic protocols, which make secure communication across networks possible.
Libraries reside in applications that run on operating systems – and there are a marathon worth of hurdles to overcome to truly weaponize a Use-After-Free or similar bug.
OpenSSL can be included in OS’s, Network Devices, and software. The following distributions may include OpenSSL 3 by default:
– CentOS Stream 9
– Red Hat Enterprise Linux 9 (RHEL 9)
– Ubuntu 22.10
– Ubuntu 22.04 LTS
– Fedora Rawhide
– Many appliances use the OpenSSL library
Other organizations have also time to prepare. Cisco WSA Ironport, and Symantec VIP Gateways will be in scope too.
Basically, no details have been shared with the public about the vulnerability and, according to OpenSSL core team member Mark J. Cox, attackers are unlikely to ferret out the vulnerability before the fixed version is widely deployed. “Given the number of changes in 3.0 and the lack of any other context information, “attackers successfully scouring the commit history between 3.0 and the current version is very highly unlikely,” he opined.
All users of OpenSSL should use this time to inventory instances of OpenSSL and prepare for immediate patching when this is released. We recommend that you begin identifying your vulnerable systems now and prepare to patch (schedule a Task Force especially on November, 1st).
Simultaneously releasing an OpenSSL 1.1.1s bug fix release *in the exact same time window* and without explicitly saying it’s not critical … is either unnecessarily confusing, or a rough way to throw in a fix for the same vulnerability. If you know in advance where you are using OpenSSL 3.0+ and how you are using it then when the advisory comes you’ll be able to quickly determine if or how you’re affected and what you need to patch.
Fedora will slip the official Fedora Linux 37 release in order to integrate fixes for the upcoming critical openssl vulnerability.
Organizations, users, get ready! We’ll keep you updated.
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] Veeam User Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post.