[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
The OpenSSL project are releasing details of critical security vulnerability on 1st November fixed in version 3.0.7 OpenSSL is a cryptography library uses by a lot of applications that need to talk across the Internet. A previous critical vulnerability was horrid to deal with, but did persuade a lot of organisations to opt for alternative libraries (which has made the hunt possibly slightly harder). For example Apple went with LibreSSL for OSX for example, which is presumably not vulnerable. The coverage from those with access to the embargoed release suggests it is important to fix promptly. What is revealed so far: Affects 3.0.0 to 3.0.6 Is critical. More on Tuesday from 13:00UTC. Recent Redhat Linux and Ubuntu are using version 3 of OpenSSL, will presumably have fixes available shortly. Where it is installed as a command line application you can type "openssl version" in a terminal. Here I have an old, unsupported (by OpenSSL) which is not vulnerable because the 1.1 branch isn't affected. $ openssl version OpenSSL 1.1.1n 15 Mar 2022 To get a feel for how this might affect Linux folk I tried: $ apt-cache rdepends openssl | wc -l 254 The library is used by 254 packages on the Debian version to hand, in that list is everything from mail clients to mail servers, programming languages like Python (so a lot of things written in affected languages might also be vulnerable, we'll see when the details are out), VPNs, cryptographic tools of all sorts. So understand this is built into the infrastructure in many different applications. Unfortunately it is more likely to be a problem if it linked in code, and that may not be the version presented in the command line, depending how many times you have done weird packaging things that can bring in a version of a library that isn't fixed by upgrading the core operating system version of the same library. (This why we say "don't do that", but actually we all do it occasionally because it is useful cheat). What to do? If you are small IT, then probably check if you are using OpenSSL 3 on Linux boxes and know that you probably have to patch them and some third party devices. Figure out what is exposed to the Internet, and if it uses openssl. Check back on Tuesday. If you are big IT, then hopefully you have a process for panicking in an appropriately measured fashion, and maybe even tickets from what happened last time OpenSSL had a critical issue. Usually the sky doesn't fall in too badly, and a lot of important stuff left OpenSSL behind at the last critical so hopefully it is less work than last time. Start the hunt, and be prepared to do a lot of patching, cancel some meetings proactively and you might actually get something done for a change (too cynical?). Nessus makes a stab at OpenSSL version from ciphers etc, but you probably knew that if you are still reading, it isn't a reliable way to find vulnerable servers but it will probably do for now. nmap is your friend. -- The Mailing List for the Devon & Cornwall LUG https://mailman.dcglug.org.uk/listinfo/list FAQ: https://www.dcglug.org.uk/faq/