Cybersecurity Vendors Assessing Impact of Recent OpenSSL Vulnerability
Cybersecurity, cloud, storage and other vendors are assessing the impact of a recent OpenSSL vulnerability on their products and services.
Updates released by the OpenSSL Project earlier this month patch a high-severity denial-of-service (DoS) vulnerability related to certificate parsing.
The security hole, tracked as CVE-2022-0778 and reported by Google vulnerability researcher Tavis Ormandy, affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It has been fixed with the release of versions 1.0.2zd, 1.1.1n and 3.0.2.
Exploitation of the vulnerability is possible in certain situations, and it can lead to a DoS attack against a process that parses externally supplied certificates.
Technical details and at least one proof-of-concept (PoC) exploit are publicly available, and companies whose products and services rely on OpenSSL have started assessing its impact.
Palo Alto Networks on Wednesday informed customers that it’s still investigating the impact of CVE-2022-0778 on its products, but the company has so far confirmed that PAN-OS, the GlobalProtect app, and the Cortex XDR agent software contain a vulnerable version of OpenSSL. Fixes are being developed for affected products.
“For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers. This vulnerability has reduced severity on Cortex XDR agent and Global Protect app as successful exploitation requires an attacker-in-the-middle attack (MITM),” the company explained.
F5 says the OpenSSL vulnerability affects BIG-IP and Traffix products and it’s working on patches. BIG-IP is only affected if specific configurations are used.
Check Point has also confirmed that several of its products are affected and the company has released patches.
Sophos says the vulnerability impacts its Firewall, UTM and Web Appliance products. The company’s advisory informs customers that fixes are scheduled for late March and April.
QNAP published an advisory this week to inform customers that several versions of its QTS, QuTS and QuTScloud operating systems for NAS devices are affected. The storage solutions provider is working on patches.
The developers of the VyOS open source router and firewall platform have also confirmed that version 1.3.0 is affected. The OpenSSL component has been updated with the recent VyOS 1.3.1 release.
AWS has also released a brief security bulletin, informing customers that it’s aware of the issue and investigating impact on its services.
NetApp has also identified over a dozen affected products and it has started releasing patches.
Red Hat initially said it was not directly affected by the flaw, but further investigation revealed that some versions of Red Hat Enterprise Linux are vulnerable to DoS attacks. Other Linux distributions have also released advisories.