ColorTokens Advisory on OpenSSL vulnerability

Author

Read Time

2 Minutes

Last Updated

Nov 3, 2022

On October 12th, the OpenSSL team announced that version 3.0.6 was withdrawn, and an update was being prepared.   On October 25th, the team announced that version 3.0.7 would be made available on November 1st between 1300-1700 UTC.  The note also mentioned that the highest severity issue fixed is CRITICAL.  The OpenSSL team uses this severity level if the vulnerability affects common configurations, which are also likely exploitable. 

The vulnerability is said to impact all OpenSSL versions from 3.0.0 through 3.0.6.  However, OpenSSL 3 is less widely deployed than its predecessors, so many enterprises may not be affected.  For example, only the latest versions of Ubuntu Linux (Ubuntu 22) and RedHat Linux (RHEL 9) ship with OpenSSL.  Windows and macOS applications typically use LibreSSL, which is not affected. 

No software is bug-free, and businesses should always be ready to deal with such situations.  Identifying affected systems and patching them as soon as possible is vital.  However, malicious actors will use this window to breach systems and establish a foothold. Adopting a zero-trust approach can help mitigate the damage caused by such a breach.  Application allow-listing prevents unauthorized applications from running and can block malware payloads dropped during the breach.  And micro-segmentation can prevent the malicious actors from moving laterally within the infrastructure. 

ColorTokens Xprotect provides simple yet powerful application allow-listing, including support for parent-child execution paths.  This blocks malware from using approved applications as a launchpad or using approved and privileged applications to perform malicious actions. 

ColorTokens Xshield is a state-of-the-art, software-defined solution that provides instant visibility and a guided step-by-step approach to risk-free micro-segmentation. 

And ColorTokens Xcloud can help you quickly identify vulnerable systems in public cloud environments with no additional software required. 

For more information on how we can help, please visit us at Colortokens.com

Share this article

Related Posts

Update on OpenSSL vulnerability

How Zero Trust Secures Epic Systems and EHR Data

Log4Shell: How to Detect, Mitigate and Overcome Zero-Day Vulnerabilities