On October 25th, 2022 The OpenSSL Project announced a future release of OpenSSL (version 3.0.7) to address a security vulnerability. The release will be live on Tuesday, November, 1, 2022. This document provides an overview of steps you can take to protect your organization and your 3rd party network as well as a summary of our investigation and mitigation efforts.
OpenSSL is what makes it possible to use secure Transport Layer Security (TLS) on Linux, Unix, Windows, and many other operating systems. It’s also what is used to lock down secure communications. Many applications use OpenSSL and as a result this vulnerability could have widespread implications for organizations of all sizes and industries across the world.
Security and Impact
CVE-2022 – 3786 and CVE-2022 – 3602 have both been given a ‘HIGH’ Severity, which indicates it “affects common configurations” and is likely to be exploitable with potential to disclose server contents, user details and compromise private keys or even execute code remotely.
The update contains a fix for a security issue that affects OpenSSL versions 3.0.0 through 3.0.6.
It is important to quickly assess the impact and risk both internally and within your third-party population. Take action now and follow these steps to assess the potential impact to systems and remediate accordingly.
Step 1: Determine if you are at risk.
- If you or a third party are running OpenSSL 3.0.x the system is vulnerable to this CVE.
- To assess whether your Third Parties are vulnerable, customers can access the OpenSSL Questionnaire in the Whistic platform under our Questionnaire Standards Library by clicking here.
- A standalone .xls file can be found here.
Step 2: Immediately patch systems that have been impacted.
- Make sure your team is aware of the Vulnerability and the upcoming release on November 1, 2022.
- Determine which applications and infrastructure are using OpenSSL 3.0 or above.
- Update any vulnerable OpenSSL installations.
Does this affect Whistic?
As a result of our investigation, we have determined that these vulnerabilities (CVE-2022 – 3786 or CVE-2022 – 3602) do not directly impact Whistic. While Whistic uses OpenSSL in conjunction with many other tools, the particular versions we use were not affected by this vulnerability and our use of this library would not be affected. We have a structured approach to vulnerability identification and remediation using technologies in both the development lifecycle and in our stage and production environments.