Back

OpenSSL 3.0.7 Patch – Spooky TLS: The Patch That Gave Everyone a Halloween Scare

Spooky TLS scared all of us last week, but today we came to find out that this may have been overblown - it was downgraded from CRITICAL to HIGH primarily due to non-exploitability (under most circumstances) for RCE. If you are still looking to identify and remediate assets with 3.x, we are here for you.
read

Status
A warning was issued on Tuesday, October 25 directly from OpenSSL: https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
     OpenSSL 3.0.7 is a security-fix release.

     The highest severity issue fixed in this release is CRITICAL

Most teams got a hold of the warning before the end of the business week and started to begin the patch management process ahead of the disclosure, which happens today (November 1). The last critical vulnerability from OpenSSL was Heartbleed (CVE-2014-0160), eight years ago.

Vulnerability Severity
At first glance of the release notes, it appears that this may have been overblown. It would require a vulnerable TLS client to connect to a malicious server which is more of a phishing-based attack versus remote RCE. Additionally, it requires either a CA to have signed the malicious certificate or for the application to continue certification verification despite failure to construct a path to a trusted issuer.

Potentially, in a TLS client, it could be triggered by connecting to a malicious server, if the server requests client authentication and a malicious client connects.

Additionally, it was downgraded from CRITICAL to HIGH primarily due to non-exploitability (under most circumstances) for RCE.

Affected Systems
OpenSSL 3 is not the same as SSLv3 and this vulnerability exists only in OpenSSL Version 3 and not SSLv3.

The vulnerability affects only OpenSSL version 3.0.0 to 3.0.6, with the patch being shipped in version 3.0.7. Given the very recent release date of OpenSSL 3.0.0, older appliances with hardcoded OpenSSL versions are unlikely to be vulnerable.

NCSC-NL has a helpful list of confirmed affected/unaffected software here: https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software

How To Detect with Tromzo
Tromzo can help with identifying all vulnerable software assets and help with the remediation of this issue.
While we have faith that your teams have already done the patch management last week, this weekend and early this week. If you need help, we are here for you. Please feel free to contact us at [email protected] and we will help you through this vulnerability.

Rate this article

Recent articles

How Do You Justify Investment In Product Security?

How do you justify investment in product security? On a recent episode of the Future of Application Security, FullStory’s VP of Product Security and Compliance, Mark Stanislav...

Read more
Should You Outsource Product Security Maturity Modeling to a Third Party?

Should you outsource product security maturity modeling to a third party? On a recent episode of the Future of Application Security, FullStory’s VP of Product Security and...

Read more

Ready to Scale Your Product Security Program?

Sign up for a personalized one-on-one walkthrough.

Request a demo

[email protected]

Request a demo