Faille OpenSSL - Patch le 1er novembre 2022

a critical flaw will be patched on November 1, 2022

The OpenSSL Project Team announced that a critical security update will be fixed on November 1, 2022, with the release of OpenSSL v3.0.7. What are the risks ?

As a reminder, OpenSSL is an open source library which is very popular on Linux systems and widely used by different applications, in particular to manage certificates. I am thinking in particular of different Linux distributions like Ubuntu, Debian, RHEL, etc… As well asto web servers Apache or Nginx, or even different constructors like Fortinet, Cisco, Sophos, Synology, Symantec, etc… A list much longer than your arm.

This new security flaw in OpenSSL is critiquewhich according to the classification established by the OpenSSL team, means thatit affects common configurations and that it is likely to be exploited in the context of a cyberattack. Within the OpenSSL security policywe can read : “This could be, for example, a major disclosure of the contents of the server’s memory (which could reveal user details), vulnerabilities that can be easily exploited remotely to compromise the server’s private keys, or a vulnerability allowing remote code execution“.

For the moment, and we’re not going to complain about it, there are no publicly available details about this vulnerability. However, we know thatit only affects OpenSSL 3.0+. In other words, versions of OpenSSL before version 3.0 are not affected by this vulnerability. On Twitter, we can already read some conversations about this vulnerability, including: “RHEL 9 and Ubuntu 22.04 LTS ship OpenSSL 3.0, so be ready next Tuesday if you’re using those distros. Debian Stable provides OpenSSL 1.1.x and is not affected.

Depending on how easy this vulnerability is to exploit, it’s a safe bet that cybercriminals are on the spot… November 1st is next Tuesday : we can say that the month of November is going to start with a bang…



#critical #flaw #patched #November

Leave a Comment

Your email address will not be published. Required fields are marked *