Closing system

Disclosure of critical OpenSSL vulnerabilities – Check Point Software

30/10/2022

Strong points:

  • The OpenSSL Project, the building block of the secure Internet we all know, has announced the patching of a Critical Severity Security Vulnerability

  • Although details have yet to be shared, organizations are urged to stay alert and prepare to patch and update systems this Tuesday, November 1.

  • Because OpenSSL is so widely used, the potential magnitude of this vulnerability is enormous, hence the urgency to patch and update systems.

  • Check Point researchers are closely monitoring this evolving story and will update new protections as details become available.

Background

In an official statement last Tuesday, the OpenSSL project team announced the upcoming release of its next version which will be released on Tuesday, November 1, 2022 between 1300-1700 UTC.
This release should include a fix for a CRITICAL security vulnerability.

The OpenSSL project defines a critical vulnerability as follows:
“CRITICAL gravity. This affects common configurations that are also likely to be exploitable…”

Although the exact details of the vulnerability are still unknown at this stage, we urge organizations to stay alert to the release; and keep their systems patched and all protections up to date, until further details are revealed.

Which versions of OpenSSL are vulnerable?

Versions 3.0 and higher of OpenSSL are those declared vulnerable.
OpenSSL version 3.0.7 should be the next release and should include the fix for the critical vulnerability.

What is OpenSSL?

OpenSSL is a commonly used code library designed to enable secure communication over the Internet. Simply put, every time we browse the internet, the website we are browsing or the online service we are accessing uses OpenSSL at its most basic level.

Which means Tuesday morning we’ll all have to pay close attention to what the OpenSSL project team releases. It is expected to affect broad aspects of our day-to-day Internet use.

What could be the risk?

Although we will have to wait until November 1 for details on the nature of the vulnerability, it could include the disclosure of information about private keys or user information. Either way, it would undermine the very foundation of the encrypted sessions we all enjoy with so many services today. Being so common, it can mean a massive event.

What can I do until more details are revealed?

In the meantime, businesses should remain vigilant and employ security best practices, including patching and updating all systems to the latest operating system, and prepare to update IPS as soon as it becomes available.

We also recommend that you understand in detail where within the organization OpenSSL is used and this can be done with Software Bill of Materials (SBOM), which provides a detailed listing of the company’s software components.

This will help prioritize critical areas and prepare for the expected fix.

Check Point researchers are monitoring this story closely and we’ll report back as development becomes available.

Emergency helpline

At any time, if you believe you have been violated or attacked, contact our emergency helpline.

Plus, our technical support centers around the world are available to help you 24/7.