Critical zero-day bug, first since Heartbleed, identified in OpenSSL

Critical zero-day bug, first since Heartbleed, identified in OpenSSL

Image:
Critical zero-day bug, first since Heartbleed, identified in OpenSSL

New version to be released 1st November. Organisations should act now to track down OpenSSL 3.0.x in their infrastructure, warns Sonatype

The team maintaining OpenSSL, the cryptographic library that secures almost all traffic on the Internet, have revealed the presence of a critical zero-day vulnerability in later versions of the software.

OpenSSL 3.0.7, to be released on 1st November, will patch versions of OpenSSL from 3.0 onward, according to a tweet from maintainer Mark J Cox on Monday.

OpenSSL 3.0.x is the default in many of the latest versions of many Linux distributions including Fedora 36, CentOS Stream 9, Mint 21, Mageia Cauldron, OpenMandriva and Ubuntu 22.04.

This is the first critical vulnerability in OpenSSL since Heartbleed, and while no details have yet been released, the very ubiquity of OpenSSL and its role in securing traffic makes this a major cause for concern.

"Yesterday, a critical issue was pre-announced that affects OpenSSL. OpenSSL allows nearly all encryption across the internet to happen - it is considered part of the internet's critical infrastructure," noted Brian Fox, CTO of security vendor Sonatype.

A 'critical' vulnerability is one that "affects common configurations and which is also likely to be exploitable", according to the OpenSSL team.

The discovery of a critical vulnerability automatically triggers a new release of OpenSSL.

Heartbleed, discovered in 2014, was a flaw in the implementation of OpenSSL that allowed the private key used in a Secure Sockets Layer (SSL) communication to be exposed. Attackers could then decrypt and read any secure data passed on the network link. After its discovery, it was revealed that OpenSSL only had one or two active maintainers, prompting many questions about the security of open source software.

Since then, organisations like the Linux Foundation's Open Source Software Foundation (OpenSFF) together with big software companies like Google and Microsoft have launched projects Such as Alpha Omega to identify the most critical open source projects and help them improve their security.

There is still much to be done in this regard, said Fox, mentioning organisations' lack of preparedness when another widely used open source software component was found to have a critical flaw.

"The unprepared scrambled last year when news about Log4shell dropped. Our data shows that organisations who were prepared were able to remediate thousands of applications within days. The data also shows that today, 38% of the Maven Central downloads for Apache Log4j are still of the known vulnerable versions, so clearly lots of organisations are still unprepared."

Once the new version of OpenSSL has been released, it won't be long before threat actors start to exploit it. Organisations have five days to start tracking down instances of OpenSSL 3.0.x in their infrastructure, Fox warned: "The clock is ticking."