GlobalSign Blog

Urgent: Patch OpenSSL to avoid “Critical” Security Vulnerability

Urgent: Patch OpenSSL to avoid “Critical” Security Vulnerability

This almost certainly affects your organization...

*UPDATED 2022-11-02*

A serious vulnerability has been discovered in current versions of OpenSSL and will need to be patched immediately. The OpenSSL Project released version 3.0.7 on November 2, 2022; it is a high severity update that needs to be made immediately.  

To unpack that for you a little bit, OpenSSL is a software library that is widely leveraged to enable secure network connections. And by widely leveraged, I mean almost completely ubiquitous, if you’re using HTTPS, chances are you’re using OpenSSL. Almost everyone is.  

So, this is something almost everyone needs to be aware of. 

OpenSSL is developed by the OpenSSL project, who advised on Wednesday, October 26th, that it is releasing a patch for a critical vulnerability.  

Here’s how the OpenSSL Project defines a critical vulnerability: 

“CRITICAL Severity. This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.” 

[UPDATE] Fortunately, the severity of this vulnerability has been revised following testing. It still qualifies as "high" severity, but it can be remedied with just the update to OpenSSL 3.0.7 and will not require certificates to be replaced.

Per the OpenSSL Project:

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character(decimal 46) on the stack. This buffer overflow could result in a crash(causing a denial of service).

In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue.

Make sure that the correct stakeholders in your organization are aware of this vulnerability, its potential severity, and the new version of OpenSSL (3.0.7).  

If you are that individual, you need to check that you are indeed using OpenSSL (you are) and which version of it you’re using. Here’s the nuance, this affects version three, so if you’re running 3.0.6 or earlier (don’t admit to that) you’re going to need to patch this immediately. 

If you’re using version 1.1.1, this vulnerability doesn’t affect you, but there is a 1.1.1 update coming as well - version 1.1.1s - which you’re still going to need to make.  

Remember, the longer you go before updating the longer your network will potentially be vulnerable.  

For full guidance on how to update OpenSSL, please refer to OpenSSL.org/source.

GlobalSign is proud to be your trusted digital partner, we’re closely monitoring this situation and will continue to provide updates on the blog and via direct customer communication (email) if any further action is required.  

Share this Post

Recent Blogs