HCL SW Blogs
HCL SW Blogs
Select Page
Automation, HCLSoftware
  |  November 1, 2022

New OpenSSL V3 Vulnerabilities Are Exploitable – Act Now

Rhonda Studnick Kaiser
Rhonda Studnick Kaiser
Director - Customer Experience BigFix
New OpenSSL V3 Vulnerabilities are Exploitable

(This blog will be updated with additional information as needed) 

The OpenSSL projectannounced details of vulnerabilities that exist in versions of the OpenSSL software versions earlier than version 3.0.7.  They have released OpenSSL Version 3.0.7 to address these security vulnerabilities. OpenSSL is the core open-source library that implements SSL and TLS protocols which makes it possible to securely communicate over the internet. It impacts Linux operating systems and some variants including Mac OS Ventura and Node.js 18 and 19. 

About the Vulnerability 

The OpenSSL project had originally communicated this vulnerability as Critical, however, it has since been downgraded to High per the latest advisory from OpenSSL.  They have indicated it does not impact versions of OpenSSL prior to V3.0.

This Vulnerability Is Known to Impact: 

  • Linux operating systems and some variants such as Ubuntu and macOS Ventura 
  • Containers and container images 
  • Node.js 18.x and 19.x which are JavaScript runtimes 
  • Code developed by C/C++ developers who embedded OpenSSL V3.0 or above 

Recommended Actions for BigFix Users 

  1. Review the latest details from OpenSSL at https://www.openssl.org/news/vulnerabilities.html 
  2. Identify vulnerable systems with OpenSSL V3.0 and above 
    1. Perform an Inventory scan (BigFix Inventory signatures in development) 
      1. Refer to the BigFix Forum for the software signature information once published 
      2. Review other sources of scanning software and tools for OpenSSL version at https://github.com/NCSC-NL/OpenSSL-2022/tree/main/scanning 
  3. Upgrade to OpenSSL to V3.0.7 as soon as possible to prevent a potential breach or attack 
    1. The BigFix team will be publishing vendor fixlets addressing this vulnerability in an expedited timeline
    2. Watch the BigFix Forum for content release announcements, as well as the BigFix Forum link below for our overall response.
  4. Keep abreast of updates on the Big Forum: https://forum.bigfix.com/t/openssl-3-vulnerabilities-2022-11-01/43303 

 

Comment wrap
Rhonda Studnick Kaiser
Rhonda Studnick Kaiser
Director - Customer Experience BigFix
Rhonda Studnick Kaiser is the HCL BigFix Director of Customer Experience. With more than 20 years of IT experience, more than 10 years in Information Security, my goal is to bring the voice of the customer into every stage of BigFix development and delivery. My passion is to ensure that our customers get the most out of their investment in BigFix and to build a trust relationship with them to drive innovation, transparency and cooperation across the product line.
Read more

Topics in this article:

BigFixOpenSSLvulnerability

Submit a Comment

Your email address will not be published. Required fields are marked *

* HCL provides software and services to the U.S. Federal Government through its partner Four, Inc. Please contact Four, Inc. at the U.S. Federal Government contact page.


Further Reading
bigfix
bigfix
BigFix on Cloud
Automation | February 20, 2023
Accelerate Your Endpoint Management with BigFix on Cloud
As endpoints continue to grow in volume and diversity, managing and securing them has become more complex and time-consuming.
Deepika Choudhary
Deepika Choudhary
bigfix
bigfix
Oracle Increases Prices for Java
Automation | February 8, 2023
Oracle Increases Prices for Java – Look to BigFix for a Solution
To help our customers navigate this Oracle change, BigFix Inventory can identify which machines have Oracle Java to avoid unexpected license compliance issues.
Sana Nair
Sana Nair
Product Marketing Manager
bigfix
bigfix
Large-scale Ransomware Campaign
Automation | February 8, 2023
Large-Scale Ransomware Campaign Exploits a Two-Year-Old VMware Vulnerability
The attack campaigns appear to be exploiting CVE-2021-21974 for which a patch has been available since February 23, 2021. Systems running ESXi versions 7.0, 6.7 and 6.5 are currently being targeted and pose the greatest threat.
Cyril Englert
Cyril Englert
Solution Architect
Close
Filters result by
Sort:
|
ProductsRESET