Critical OpenSSL Vulnerability Patched in Version 3.0.7
A critical vulnerability in OpenSSL has been discovered and addressed in version 3.0.7. Initially thought to be as severe as Heartbleed, it was later split into two CVEs (CVE-2022-37786 and CVE-2022-3602). The issue lies within the X.509 certificate verification process, specifically with name constraint checking.
While the risk is mitigated by the limited adoption of OpenSSL 3.0, which has been in the market for 14 months, the widespread use of end-of-life and end-of-support OpenSSL instances poses a significant threat. Over 82% of OpenSSL instances fall into this category, with a total of over 200 vulnerabilities. Seven of these have publicly available weaponized exploits, and 32 have proof of concept (PoC) exploit code.
Exploiting these vulnerabilities requires a certificate authority (CA) to have signed the malicious certificate or the application to bypass security best practices. Although no working exploits for remote code execution (RCE) are currently available, only proof of concepts causing OpenSSL to crash, less than 0.1% of servers use a vulnerable version of OpenSSL, with only 1.5K organizations running a vulnerable version of OpenSSL 3.0. The vulnerability was pre-announced to give organizations time to prepare a response.
OpenSSL 3.0.7 addresses these two vulnerabilities. Organizations are urged to update their systems to the latest version to mitigate potential risks. Despite the limited impact currently, the widespread use of outdated OpenSSL versions highlights the importance of regular software updates and maintaining up-to-date cryptographic libraries.
Read also:
- China's Automotive Landscape: Toyota's Innovative Strategy in Self-Driving Vehicles
- Strengthening Defense Against Combined Cyber Threats during the Age of Technological Autocracy
- Enlarged Financial Plan of MGM Osaka Integrated Resort Surpasses $10 Billion Mark
- Increasing Cyber Threats Pose Challenges to Operational Technology Infrastructure
