- The OpenSSL project is set to release a patch Tuesday for a critical vulnerability that security researchers warn could be the most serious the industry has seen in more than a decade.
- OpenSSL is a code library that is widely used across the internet to enable secure communications. OpenSSL announced early last week that it would release version 3.0.7 in order to address the vulnerability, which researchers say impacts anyone using version 3.0 or above.
- The patch represents only the second time the organization has ever released such a serious security update since the 2014 Heartbleed vulnerability.
The IT industry has become highly sensitive to issues surrounding the software supply chain and the security of open source since last year’s disclosure of the Log4j vulnerability.
Specific details of the vulnerability have not been released and a CVE has not yet been issued, however veteran industry researchers said the impact of any vulnerability involving OpenSSL will be widespread.
“It’s hard to overstate just how much of the internet relies on OpenSSL,” Brian Fox, CTO at Sonatype, said via email. “Heartbleed was particularly unique in that the vulnerability occurred at such a low level that threat actors didn’t need to seek out authentication.”
Fox said threat actors were able to essentially sit on a particular website and wait for the information they wanted to come through.
Researchers at Akamai estimate about 50% of their monitored environments have at least one machine with one process that depends on a vulnerable version of OpenSSL. Out of those networks, between 0.2% and 33% of machines in the network had some dependence on a vulnerable version of OpenSSL.
More than 1,000 image repositories could be affected across various Docker Official Images and Docker Verified Publisher images, according to a blog post from Docker. The images are based on Debian 12, Ubuntu 22.04 and RedHat Enterprise Linux 9+.
Until the security updates are released, organizations need to find out where they use OpenSSL in their environments, according to Check Point research. This can be done using a software bill of materials, which should provide a detailed inventory, according to Check Point.
The advanced warning from OpenSSL raised more than a few eyebrows — they proactively gave the industry more than a week’s notice to prepare for the security update, during a time when many organizations take weeks and months to acknowledge they have a vulnerability issue.
“One of the lessons learned from Heartbleed was that the security community needs more time to prepare for OpenSSL vulnerabilities,” Johannes Ullrich, dean of research at the SANS Technology Institute, said. “This is why OpenSSL started to issue advanced warnings like the one they issued last week.”