In this advisory, we will address the core facts regarding the recently disclosed security vulnerability in the OpenSSL project, how important it is to address quickly, how to respond, and how to better prepare for future vulnerabilities.

What is this OpenSSL vulnerability?

OpenSSL today released version 3.0.7 to remediate two potential security vulnerabilities, CVE-2022-3786 and CVE-2022-3602. Both vulnerabilities are related to buffer overruns in X.509 certificate verification that could lead to a crash causing a denial of service attack.

Prior to the public release of the fixes, there was some concern that the vulnerabilities could allow for a remote code execution but further analysis has shown that to not be possible based on stack layouts with common platform/compiler combos as well as the advent of stack overflow protections within many platforms.

How important is this OpenSSL vulnerability?

While there are no known exploits or paths to easily exploit this vulnerability, it is still recommended that all users of OpenSSL 3.0.x upgrade to the new 3.0.7 release. It is notable to point out that OpenSSL 3.0 was only released in May of this year and so the vast majority of users do not have any upgrades to apply.

How should my organization respond?

Linux distributions and other operating system vendors have already prepared and released patches that you can apply if you are on an affected version. If you have your own self-compiled OpenSSL in use and are using the 3.0.x release branch, you will want to build an updated version of the library for those use cases.

How can my organization prepare for issues like this in the future and how can Tidelift help?

This vulnerability is related to a core operating system component and so most organizations will rely on an update provided by your operating system provider. Many vulnerabilities instead are found in the components and libraries used when building and running custom applications from your organization. When those arise, it is important to have accurate and up-to-date software bills of materials (SBOMs) to rapidly respond.

The Tidelift Subscription allows organizations to centrally manage a catalog of pre-vetted open source components that are approved for use across the organization, while allowing them to dynamically generate up to date SBOMs after every application build. This makes it easy for an organization to quickly identify if the affected component is in use and where, so remediation can be handled in a timely and comprehensive manner.

To better prepare to react quickly to vulnerabilities, Tidelift recommends organizations implement a proactive, people and software-based approach to managing the health and security of the open source software supply chain. 

• Software: Tidelift provides the tools, data, and strategies that help organizations assess risk and improve the health, security, and resilience of the open source used in their applications. By proactively managing their open source software supply chain, they are better prepared to remediate quickly when inevitable vulnerabilities occur.
  
  
• People: Tidelift partners directly with maintainers and pays them to validate the open source components organizations rely on meet enterprise standards now and into the future. By helping ensure maintainers have the time and the incentive to do this important work, Tidelift and our customers improve the security profile of many of the most important components of the open source software supply chain.

If you’d like to learn more about the Tidelift approach to proactively managing open source:

• Take a tour of the Tidelift Subscription and watch our demo video
• Learn why software composition analysis (SCA) tools are only one piece of a defense in depth strategy to prepare for vulnerabilities like this one
• Watch our recent webinar with Jim Mercer from IDC about the importance of a sound open source software supply chain strategy
• Schedule a demo with one of our open source experts