Upcoming Critical OpenSSL Vulnerability: What will be Affected?

Published: 2022-10-27
Last Updated: 2022-11-01 14:30:42 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Some here may still remember Heartbleed. Heartbleed was a critical OpenSSL vulnerability that surprised many organizations, and patching the issue was a major undertaking. Heartbleed caused OpenSSL and other open-source projects to rethink how they address security issues and communicate with their users. OpenSSL started to pre-announce any security updates about a week ahead of time.

This week, OpenSSL announced they would release OpenSSL 3.0.7 this coming Tuesday. It will fix a critical vulnerability [1]. The OpenSSL definition of critical:

  • CRITICAL Severity. This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.

In short: This is something you will need to worry about!

The update will only affect OpenSSL 3.0.x, not 1.1.1. Now is the time to figure out where and how you are using OpenSSL 3.0.x. For most systems, you will be able to use the openssl command line utility:

% openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)

Here is a quick list of OpenSSL versions for different operating systems:

OpenSSL 3.0.0, the first stable version of OpenSSL 3.0, was released in September 2021, about one year ago. Any older operating systems are likely using OpenSSL 1.1.1, which is not affected.

macOS: macOS, by default, uses LibreSSL, not openssl, installed. But openssl may be installed later by other software like Homebrew and MacPorts.

[thanks to all the contributors to this table. Let me know if you have additional entries]

 

Linux Distro OpenSSL Version
CentOS Linux release 7.9 1.0.2
CentOS 8 (1.1.1)
CentOS Stream 9 (3.0.1)
Debian 11 (bullseye) (1.1.1)
Eneavour 2022.09.10 (1.1.1)
Fedora 34 (1.1.1)
Fedora 35 (1.1.1)
Fedora 36 (3.0.5)
Fedora Rawhide (3.0.5)
Kali 2022.3 (3.0.5)
Linux Mint 21 Vanessa (3.0.2)
Mageia 7 (1.1.1)
Mageia 8 (1.1.1)
Mageia Cauldron (3.0.5)
OpenMandriva 4.3 (3.0.3)
OpenMandriva Cooker (3.0.6)
OPNsense 22 1.1.1
OpenSuSE Leap 15.2 (1.1.1)
OpenSuSE Leap 15.3 (1.1.1)
OpenSuSE Leap 15.4 (1.1.1)
Proxmox 6 1.1.1
Redhat EL 9 3.0
Rocky Linux release 9.0 (Blue Onyx) 3.0.1
Slackware 14 1.0.1
Ubuntu 20.04 (1.1.1)
Ubuntu 22.04 (3.0.2)
Unifi Cloudkey 2.5.11 1.1.0
Unifi NVR 1.1.0

[1] https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
2 comment(s)

Comments

How about Amazon Linux 2, or 2022? A quick search seems like AML 2 is somewhat similar to CentOS 8.
From what I have seen you are correct, the default version is 1.x in AWS. More focus should be on the network devices such as load balancers, VPN access points, WAFs etc which are terminating SSL connections in from untrusted sources (i.e. internet). Least from what I have seen so far all are still using 1.x versions of OpenSSL

Diary Archives