TL;DR: If you use OpenSSL 3.0 or higher, prepare to upgrade to version 3.0.7 as soon as possible. The fix is available from Tuesday, 1 November 2022, between 1300-1700 UTC.
On Tuesday, the OpenSSL team announced the release of a new version to address a critical vulnerability in versions 3.0.0 and higher. The new version will be available from November 1, 2022. The OpenSSL library rarely has critical vulnerabilities, but due to its popularity and widespread use, we should be cautious.
On the basis of the critical level assigned by the OpenSSL team, we can assume that the vulnerability can be easily exploited, and involves data leakage or remote code execution. It is therefore extremely important that organizations act swiftly to determine any use of the affected OpenSSL version and if they are exposed to the vulnerability.
Impact of the Vulnerability
According to the announcement, the vulnerability affects only newer versions of OpenSSL V3.0 and higher. It is hard to predict the potential damage and risk of this vulnerability to the organization. What we do know is that, despite being the most recent version of OpenSSL, which was released one year ago, OpenSSL V3.0 is far less ubiquitous than OpenSSL V1.0.
We can split the impact into different categories: OS distributions, containers, web applications and any other application that uses an embedded OpenSSL library.
OpenSSL V3.0 has been incorporated into Linux operating systems such as Ubuntu 22.04 LTS, MacOS Ventura, Fedora 36, and others. It should be noted, however, that most of these Linux distributions only include OpenSSL 3.0 and above in their most recent releases of the OS applications. These versions are considered testing versions so may not be widely used in production systems. If you develop proprietary software in your organization, you should also check if your code uses the vulnerable OpenSSL version.
In addition, many Docker Official images still use OpenSSL V1.x and are not affected. The Docker Official container images for popular projects like Redis and httpd are unaffected. On the other hand, NodeJS’s latest version is vulnerable.
In terms of web applications, the adoption of OpenSSL V3.0 is very slow. Running a query in Shodan, we found approximately 14,000 devices running OpenSSL V3.0.0 as opposed to 770,000 running OpenSSL V1.1.1. According to this survey, OpenSSL V3.0 is adopted by less than 0.2% of websites worldwide, in comparison to more than 75% of V1.
We see that the adoption of OpenSSL V3.0 and above is still very low. Nonetheless, you should still check if you have entities with the vulnerable version in your organization.
Vulnerable OS Versions
Based on our research, we’ve compiled a list of the most popular OS distributions and versions that contain the vulnerable OpenSSL version.
OS Distribution | OpenSSL Version | |
---|---|---|
Fedora 36 | 3.0.5 | |
Fedora Rawhide | 3.0.5 | |
Ubuntu 22.04 | 3.0.2 | |
Oracle linux 9.0 | 3.0.1 | |
Kali 2022.3 | 3.0.5/3.0.4 | |
Redhat ES 9 | 3.0.0 | |
Redhat Enterprise Linux RHEL-9.0 | 3.0.1 | |
OpenBSD 7.2 | 3.0.5 | |
OpenBSD 7.1 | 3.0.2 | |
Linux Mint 21 Vanessa | 3.0.2 | |
Maegia Cauldron | 3.0.5 | |
OpenMandriva | 3.0.6 | |
Rocky Linux release 9.0 (Blue Onyx) | 3.0.1 | |
Debian unstable sid/sting bookworm | 3.0.5 | |
Linux lite 6.0 fluorite | 3.0.2u | |
Almalinux OS 9.0 | 3.0.1e | |
CentOS Stream 9 | 3.0.1 | |
Nix unstable | 3.0.5 | |
Gentoo linux unstable | 3.0.5 | |
Kubuntu 22.10 kinetic/22.04 jammy | 3.0.5/3.0.2 | |
Lubuntu 22.10 kinetic/22.04 jammy | 3.0.5/3.0.2 | |
xubuntu 22.10 kinetic/22.04 jammy | 3.0.5/3.0.2 | |
Ubuntu MATE kinetic/22.04 jammy | 3.0.5/3.0.2 | |
Ubuntu Budgie 22.10 kinetic/22.04 jammy | 3.0.5/3.0.2 | |
Ubuntu Studio 22.10 kinetic/22.04 jammy | 3.0.5/3.0.2 | |
Ubuntu Unity 22.10 kinetic | 3.0.5 | |
Ubuntu Kylin 22.04 jammy | 3.0.2 |
view rawVulnerableDistros|OpenSSL.csv hosted with love by GitHub
How To Detect If You Are Vulnerable
As shown above, OpenSSL can be used in multiple places in your organization. We’ve created a list of 5 methods to detect which OpenSSL version you are using and determine if you are exposed to the vulnerability:
1. OpenSSL Version Command
The command allows you to determine the version your system is currently using. Based on that you can tell if the version is 3.0.*.
ubuntu@ubuntu:~$ openssl version
OpenSSL 1.1.1n 15 Mar 2022
2. Linux Package Managers
Amazon Linux:
repoquery --all --pkgnarrow=installed --qf="%{NAME} %{VERSION} %{RELEASE}" | grep openssl
OR
rpm -qa --queryformat "%{NAME} %{VERSION} %{RELEASE}\n" | grep openssl
Debian & Ubuntu:
dpkg-query -W -f="\${Package},\${Version}\n" | grep openssl
RHEL, Fedora, Oracle, CentOS:
rpm -qa --queryformat "%{NAME} %{VERSION} %{RELEASE}\n"` | grep openssl
3. Docker Image Vulnerability Database
The Docker Image Vulnerability Database can help you find vulnerable Docker images. For now, the placeholder is dubbed “DSA-2022-0001.”
4. Vulnerability Scanning For Docker Local Images
apt-get update && apt-get install docker-scan-plugin
The docker scan
command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image:
docker scan hello-world
5. Trivy
sudo trivy image --format spdx oraclelinux:9 | grep -i -C 4 openssl
Suggest an edit to this article
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.