Latest information on OpenSSL 3.0 Critical Bug & Security-Fix


What to know and do about this week’s OpenSSL vulnerability

There are still many unknowns about this week’s OpenSSL vulnerability, until further details are released on Tuesday, November But there is already noise and worries, and also an opportunity to prepare before the details.

OpenSSL is an open source cryptography library widely used in a range of commercial and internal applications to provide encryption and other security and privacy features. It is found in applications deployed on-premises, in the cloud, in SaaS applications, on terminals, on servers, in IOT or OT environments, etc. Thus, the potential for disruption is high when there is a serious flaw in OpenSSL.

What’s the problem in OpenSSL?

Details are unknown at this time (but we’ll update this blog once more details are released). The OpenSSL project team has indicated that the vulnerability is “critical” and that affected versions will require patching to a new version 3.0.7 or higher. This is only the second time OpenSSL has had a vulnerability labeled “critical” (the first was in September 2016). Vulnerabilities at this severity level “affect common configurations and […] are also likely to be exploitable.

There is good news, however: this week’s security issue only affects OpenSSL version 3.0 and above, which will limit the scope of affected applications. Version 3.0 was only released a little over a year ago on September 7, 2021, and many apps are still using older versions that don’t contain this new flaw.

Even if an application uses OpenSSL 3.0 or later, it is possible that there are situations where an application remains safe from exploitation of the new flaw, as the vulnerability may not be exposed in all circumstances. More information is needed before this can be properly assessed.

How can you prepare?

While details remain unknown, you can still take action ahead of Tuesday’s update.

1. Don’t Panic: Many applications still use versions of OpenSSL earlier than 3.0, and these are unaffected. It is extremely unlikely that you will experience any issues in all of your applications.

2. Find internal applications using OpenSSL 3.0 or higher: Now is a good time to identify any internal applications (for example, custom applications created by your employees or contractors) that use the affected versions of OpenSSL. You can leverage an existing “software bill of materials” (SBOM) or run analysis against your company’s source code repositories. Once more details are known, you can assess the impact more quickly, focusing on assessing whether the vulnerability is exploitable for each application.

3. Get ready to check 3rd party supplier status: Many 3rd third-party apps use OpenSSL, and you’ll want to ask the vendors of the apps you use, whether on-premises or SaaS, to understand how they’re affected.

4. Prepare to patch: Expect some of your internal employees and 3rd party apps will need an urgent update. Consider prioritization based on your inventory and anticipate the need for additional resources to focus on short-term fixes.

5. Prepare to temporarily take some applications offline: If the vulnerability details reveal a serious risk to your business operations or data and fixes are not available in a timely manner, it may be necessary to temporarily take these applications offline. It is not necessary to take this step now, but the possibility deserves careful consideration.

6. Consider mitigation measures once further details are known: It is too early to know what mitigations will be effective beyond patches. It is possible that technologies such as intrusion prevention systems (for example, Trend Micro Tipping point) or Host Intrusion Prevention Systems (for example, the virtual remediation features found in the cloud one and Summit one endpoint security products) may be effective against exploiting this OpenSSL vulnerability, but until further details are released, Trend Micro do not know whether these mitigation measures are effective. It’s also possible that the exploit could be seen in Extended Detection and Response (XDR) or Endpoint Detection and Response (EDR) products, but again, it’s too early to tell.

Are Trend Micro products affected?

Trend Micro does not yet know if its products are affected by the OpenSSL 3.0 vulnerability, as more details are needed to complete this review.

An initial knowledge base has been posted here and will be updated as new information becomes available.


Comments are closed.