OpenSSL patched today.
November 1, 2022 – Published on The Cyberwire
Today, November 1st, OpenSSL is releasing a patch for a critical vulnerability in OpenSSL versions 3.0.0 and above.
How to interpret OpenSSL’s downgrading of the vulnerability from “Critical” to “High Severity.”
Added, 1:45 PM, 11.1.22.
Victor Wieczorek, VP of App Sec, Threat & Attack Simulation at GuidePoint Security, notes that OpenSSL has changed its rating of the vulnerability from “critical” to “high severity,” and thinks this gets it right, given the challenges of exploitation:
“The move from ‘critical’ vulnerability to ‘high severity’ is appropriate, given the analysis that the OpenSSL Project provided. Exploiting this vulnerability requires quite a bit of set up and a number of factors to fall into place before it could be leveraged. Organizations should perform analysis to see if they are impacted, although there are relatively limited affected systems, as the attack primarily impacts the client-side, not the server. Technologies like SCA (software composition analysis) tools can help organizations identify where these components are so they can create an inventory and then a plan for remediation based on risk.”
Read More HERE.