Everyone depends on OpenSSL. You might not know it, but OpenSSL makes it possible to use secure Transport Layer Security (TLS) on Linux, Unix, Windows, and many other platforms. It is used to lock down every secure communications and networking applications and devices.
So we should all be concerned about what Mark Cox, Red Hat Distinguished Software Engineer and VP of Security at the Apache Software Foundation (ASF), tweeted this week, “OpenSSL 3.0.7 update to fix critical CVE Next Tuesday 1300-1700UTC.”
How bad is “critical”? According to OpenSSL, a problem critical intensity Affects common structures and is exploitable.
It is likely to be abused to reveal server memory contents, reveal user details, and can easily be used remotely to compromise server private keys or execute remote code. In other words, everything you don’t want is happening in your production systems.
Last time OpenSSL had a kick in its security teeth as of 2016. That vulnerability can be used to disable and take over systems. Years after its arrival, security firm Check Point rated it 42% of companies are affected.
It could be worse. One can only hope it’s not that bad OpenSSL is the all-time champion of security holes, 2014’s Heart Bleed.
Why declare a security hole before the patch comes in? Cox explained, “It’s our policy … Give everyone a date by which they will be ready to analyze the advice See if the problem affects them.”
But couldn’t a hacker find it and use it as a zero-day? He didn’t think so. “Given the number of changes in 3.0 and the lack of any other contextual information, such a search is highly unlikely.”
There is another small silver lining in this dark cloud. This new vulnerability only affects OpenSSL versions 3.0.0 through 3.0.6. Therefore, older operating systems and devices are likely to avoid these issues. For example, Red Hat Enterprise Linux (RHEL) 8.x and earlier and Ubuntu 20.04 Don’t be afraid to see it. RHEL 9.x And Ubuntu 22.04However, that’s a different story. They use OpenSSL 3.x.
If you are a Linux User, you can check your own computer by running the shell command:
# openssl version
In my case, I have my laptop running in front of me Debian BullseyeIt uses OpenSSL 1.1, so this engine is good.
But if you’re using anything with OpenSSL 3.x — anything — get ready for Patch Tuesday. This is likely to be a bad security hole, and exploits will soon follow. You need to secure your systems as soon as possible.
Denial of responsibility! newsnaveen.online is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – firstname.lastname@example.org. The content will be deleted within 24 hours.