Mark Cox, vice-president of security at the Apache Software Foundation, tweeted on 26 October that an OpenSSL 3.0.7 update would fix a critical CVE due to be announced on 1 November, adding that it did not affect versions before 3.0.
This led to American tech site ZDNet putting the hype machine in overdrive, with Steven Vaughan-Nicholls penning an article where the standfirst read: "We don't have the details yet, but we can safely say that come Nov. 1, everyone — and I mean everyone — will need to patch OpenSSL 3.x."
InfoSec industry spoiler for next week:— Kevin Beaumont (@GossiTheDog) October 28, 2022
OMG WE'RE GOING TO GET OWNED BY OPENSSL 3.X VULN (WHICH WE DON'T EVEN RUN AS 3.X ONLY JUST RELEASED A YEAR AGO)
What we actually get owned by: the Zero Trust VPN appliance we installed and didn't patch pic.twitter.com/ISkExgVqNP
He wrote: "It's likely to be abused to disclose server memory contents, and potentially reveal user details, and could be easily exploited remotely to compromise server private keys or execute code execute remotely. In other words, pretty much everything you don't want happening on your production systems."
Btw, I don’t think the OpenSSL peeps did anything wrong here.— Kevin Beaumont (@GossiTheDog) October 28, 2022
Certain orgs end up with early notification. That’s good.
Less good is the stampede of panic it ends up causing downstream.
Be like this cat. Read the info when public and decide for yourself. pic.twitter.com/UMPsOnJysk
The company's post said, "[Of the OpenSSL instances] 98.5% are older, unaffected versions... A quick review of Linux distributions shows that only new versions like Ubuntu 22 and RHEL 9 include OpenSSL v3 in their package managers. This information supports the relatively low prevalence of the vulnerable versions."
Beaumont said: "The sad thing about the OpenSSL vuln is it's an open source project... yet I just had a member of the press offer to tell me about the vuln if I sign an NDA from a security vendor and agree to an embargo so I could comment on it. Uh, no. Stop monetising fear, vendors."
He advised security people to keep an eye on the page for the Node.js library. "Doesn't Redhat ship with OpenSSL 3? Yes, in Redhat Enterprise Linux 9 from May 2022. I doubt you've deployed it in production," he wrote.
"Doesn't new Node.js use OpenSSL 3? Yes. Almost all the vulns don't apply."
Beaumont said: "I should probably blog about this one day, but to help contextualise - for orgs like Google and Cloudflare, SSL stacks are their life blood.
"They have billion=dollar cyber budgets. They deal with every nation state 24/7. You.. probably haven’t finished migrating off Win2008."
Over the years, OpenSSL has experienced a number of critical and serious vulnerabilities but none worse than the one dubbed Heartbleed which was made public in 2014. It had been introduced into the code upstream in December 2011. When exploited, it leaks the contents of memory from server to client and vice versa.
A friend at another org (a manufacturer) had their weekend cancelled as their employer had SecOps stood up all weekend to track this.— Kevin Beaumont (@GossiTheDog) October 30, 2022
In case you're wondering what they're tracking... they don't know either.
Lord, this industry is a trashfire.
This led the founder of the OpenBSD operating system, Theo de Raadt, to fork the code into something he called LibreSSL and start cleaning up the bugs.