Published: February 9, 2023
Overview
OpenSSL has released a security advisory to address multiple vulnerabilities affecting OpenSSL versions 3.0.0, 1.1.1, and 1.0.2. An attacker could exploit some of these vulnerabilities to obtain sensitive information or cause denial of service.
Background
OpenSSL is an encryption library widely used across on-premises, in SaaS applications, datacenter servers, critical endpoints, and in IoT infrastructures. OpenSSL is found in commercial and government organizations.
Impact
The advisory includes one high severity vulnerability called CVE-2023-0286 (this is a vulnerability in X.509 Certificate verification module that can lead to exposure of encrypted data or denial of service). And the advisory includes other vulnerabilities with moderate severity- CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401 (these are vulnerabilities in both x.509 certificate verification and data decryption leading to exposure of data or secret key information or crash of OpenSSL library) .
Refer to the OpenSSL Security Advisory [7th February 2023] for more details on the implications of the detected vulnerabilities.
Applicable Versions
| Effected Versions | Fixed Versions |
|---|---|
| OpenSSL versions 3.0.0 to 3.0.7 | 3.0.8 |
| OpenSSL version 1.1.1 | 1.1.1t |
| OpenSSL version 1.0.2 | 1.0.2zg |
Netsurion Detection and Response
Our security experts have determined that at this time, no Netsurion products and services have been found to be impacted by all these vulnerabilities. However, as per our development security practices, we’ll be providing update package to upgrade the OpenSSL library to latest version.
Netsurion’s Security Operations Center (SOC) is closely monitoring the OpenSSL situation for updates and any potential exploits by cyber criminals. We will update this Threat Advisory with any future details and attack surface reduction tips.
Contact your Netsurion Account Manager with any questions.
References: