Skip to main content
close search
site logo
Dive Brief

Critical OpenSSL vulnerability causes security industry to hold its breath

Published Nov. 1, 2022
David Jones's headshot
Reporter
Smiling businesswoman in headphones taking notes, working with laptop and talking smartphone, blue glowing information protection icons. Padlock, cloud and digital interface. Cyber security concept - stock photo
iStock via Getty Images

Dive Brief:

  • The OpenSSL project is set to release a patch Tuesday for a critical vulnerability that security researchers warn could be the most serious the industry has seen in more than a decade. 
  • OpenSSL is a code library that is widely used across the internet to enable secure communications. OpenSSL announced early last week that it would release version 3.0.7 in order to address the vulnerability, which researchers say impacts anyone using version 3.0 or above.
  • The patch represents only the second time the organization has ever released such a serious security update since the 2014 Heartbleed vulnerability.

Dive Insight:

The IT industry has become highly sensitive to issues surrounding the software supply chain and the security of open source since last year’s disclosure of the Log4j vulnerability.

Specific details of the vulnerability have not been released and a CVE has not yet been issued, however veteran industry researchers said the impact of any vulnerability involving OpenSSL will be widespread. 

“It’s hard to overstate just how much of the internet relies on OpenSSL,” Brian Fox, CTO at Sonatype, said via email. “Heartbleed was particularly unique in that the vulnerability occurred at such a low level that threat actors didn’t need to seek out authentication.”

Fox said threat actors were able to essentially sit on a particular website and wait for the information they wanted to come through. 

Researchers at Akamai estimate about 50% of their monitored environments have at least one machine with one process that depends on a vulnerable version of OpenSSL. Out of those networks, between 0.2% and 33% of machines in the network had some dependence on a vulnerable version of OpenSSL. 

More than 1,000 image repositories could be affected across various Docker Official Images and Docker Verified Publisher images, according to a blog post from Docker. The images are based on Debian 12, Ubuntu 22.04 and RedHat Enterprise Linux 9+. 

Until the security updates are released, organizations need to find out where they use OpenSSL in their environments, according to Check Point research. This can be done using a software bill of materials, which should provide a detailed inventory, according to Check Point. 

The advanced warning from OpenSSL raised more than a few eyebrows — they proactively gave the industry more than a week’s notice to prepare for the security update, during a time when many organizations take weeks and months to acknowledge they have a vulnerability issue. 

“One of the lessons learned from Heartbleed was that the security community needs more time to prepare for OpenSSL vulnerabilities,” Johannes Ullrich, dean of research at the SANS Technology Institute, said. “This is why OpenSSL started to issue advanced warnings like the one they issued last week.”

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell