Security Experts:

Cybersecurity Vendors Assessing Impact of Recent OpenSSL Vulnerability

Cybersecurity vendors are assessing the impact of an OpenSSL vulnerability

Cybersecurity, cloud, storage and other vendors are assessing the impact of a recent OpenSSL vulnerability on their products and services.

Updates released by the OpenSSL Project earlier this month patch a high-severity denial-of-service (DoS) vulnerability related to certificate parsing.

The security hole, tracked as CVE-2022-0778 and reported by Google vulnerability researcher Tavis Ormandy, affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It has been fixed with the release of versions 1.0.2zd, 1.1.1n and 3.0.2.

Exploitation of the vulnerability is possible in certain situations, and it can lead to a DoS attack against a process that parses externally supplied certificates.

[ READ: Evolution of OpenSSL Security After Heartbleed ]

Technical details and at least one proof-of-concept (PoC) exploit are publicly available, and companies whose products and services rely on OpenSSL have started assessing its impact.

Palo Alto Networks on Wednesday informed customers that it’s still investigating the impact of CVE-2022-0778 on its products, but the company has so far confirmed that PAN-OS, the GlobalProtect app, and the Cortex XDR agent software contain a vulnerable version of OpenSSL. Fixes are being developed for affected products.

“For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers. This vulnerability has reduced severity on Cortex XDR agent and Global Protect app as successful exploitation requires an attacker-in-the-middle attack (MITM),” the company explained.

F5 says the OpenSSL vulnerability affects BIG-IP and Traffix products and it’s working on patches. BIG-IP is only affected if specific configurations are used.

Check Point has also confirmed that several of its products are affected and the company has released patches.

Sophos says the vulnerability impacts its Firewall, UTM and Web Appliance products. The company’s advisory informs customers that fixes are scheduled for late March and April.

Other cybersecurity vendors that are currently investigating the impact of CVE-2022-0778 include SonicWall and Pulse Secure.

QNAP published an advisory this week to inform customers that several versions of its QTS, QuTS and QuTScloud operating systems for NAS devices are affected. The storage solutions provider is working on patches.

The developers of the VyOS open source router and firewall platform have also confirmed that version 1.3.0 is affected. The OpenSSL component has been updated with the recent VyOS 1.3.1 release.

AWS has also released a brief security bulletin, informing customers that it’s aware of the issue and investigating impact on its services.

NetApp has also identified over a dozen affected products and it has started releasing patches.

Red Hat initially said it was not directly affected by the flaw, but further investigation revealed that some versions of Red Hat Enterprise Linux are vulnerable to DoS attacks. Other Linux distributions have also released advisories.

Related: OpenSSL Vulnerability Can Be Exploited to Change Application Data

Related: Companies Release Security Advisories in Response to New OpenSSL Vulnerabilities

Related: Three New Vulnerabilities Patched in OpenSSL

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.