Everywhere you look the past few days you read about OpenSSL. Recent news reported two vulnerabilities (CVE-2022-3602 and CVE-2022-3786) listed as ‘critical’ and initially comparable to the vulnerability Heartbleed. Since the initial reporting, these CVEs have been downgraded to ‘high’ so they are no longer the ‘Heartbleed’ status, but none-the-less, they are still important.
There are lots of articles out there right now regarding these and other OpenSSL vulnerabilities, the associated risks, and how to patch, so we won’t go deep into that here. From our perspective, here are the top things you need to do to address this and other high priority updates
- Keep tabs on news sources. In this case, guidance was issued on October 25th warning IT administrators to check their asset inventory and prepare to patch when the update was available.
- Know your inventory. Are you at risk? Do you have OpenSSL in your environment? If you don’t know, you cannot address the critical issues as they arise. Know where the software – in this case OpenSSL – is deployed in your environment so that you can ensure it is properly secured.
- Patch. Once you understand the issue, you have your inventory, and the patch is out, it is time to patch and/or upgrade. The updated version of OpenSSL was released on November 1st, so it is time to patch right now. What is your plan?
- Scan Regularly. Not every vulnerability will be highly publicized so make sure you (or a third-party) are performing vulnerability scans regularly so that you are not caught off-guard when an important vulnerability arises. Keep especially close tabs on your external environment and critical assets.