New Critical Vuln In Component That Allow Encryption Across Internet – Industry Comment

Following news of a critical zero-day vulnerability in OpenSSL, a component that allows nearly all encryption across the Internet to happen, please see comment below from Information security and industry experts.

This is only the second critical vuln to be identified in OpenSSL since the Heartbleed bug in 2014 (which was considered a disaster), but given the potential severity of the issue,  experts are concerned about the level of preparedness in many organisations.

Subscribe
Notify of
guest

1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Brian Fox
Brian Fox , CTO and co-founder
Industry Leader
October 27, 2022 1:54 pm

For many years, I have included a thought experiment in each presentation I give. It shouldn’t be provocative, but sadly it is.

I ask, if I told you about a new vulnerability right now, how long would it take you to answer Are you using any version of this component anywhere in your portfolio? In which applications are you using the affected versions? And, how long until you can remediate this?

The unprepared scrambled last year when news about Log4shell dropped. Our data shows that organizations who were prepared were able to remediate thousands of applications within days. The data also shows that today, 38% of the Maven Central downloads for Apache Log4j are still of the known vulnerable versions, so clearly lots of organizations are still unprepared.

Yesterday, a critical issue was pre-announced that affects OpenSSL. OpenSSL allows nearly all encryption across the internet to happen – it is considered part of the internet’s critical infrastructure. 

All we know so far is that the issue is considered critical by the team, only the second critical vulnerability in OpenSSL since they started tracking after the Heartbleed bug and fallout in 2014. We know that this only seems to affect versions 3.0 and above, but not how broadly applicable or how easily exploitable this issue will be, and that it will be fully disclosed on November 1st.

If you aren’t able to immediately answer the three questions I posed above, you have six days to prepare. The clock is ticking.

Last edited 1 month ago by Brian Fox
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x