Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Cybersecurity Vendors Assessing Impact of Recent OpenSSL Vulnerability

Cybersecurity vendors are assessing the impact of an OpenSSL vulnerability

Cybersecurity vendors are assessing the impact of an OpenSSL vulnerability

Cybersecurity, cloud, storage and other vendors are assessing the impact of a recent OpenSSL vulnerability on their products and services.

Updates released by the OpenSSL Project earlier this month patch a high-severity denial-of-service (DoS) vulnerability related to certificate parsing.

The security hole, tracked as CVE-2022-0778 and reported by Google vulnerability researcher Tavis Ormandy, affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It has been fixed with the release of versions 1.0.2zd, 1.1.1n and 3.0.2.

Exploitation of the vulnerability is possible in certain situations, and it can lead to a DoS attack against a process that parses externally supplied certificates.

[ READ: Evolution of OpenSSL Security After Heartbleed ]

Technical details and at least one proof-of-concept (PoC) exploit are publicly available, and companies whose products and services rely on OpenSSL have started assessing its impact.

Palo Alto Networks on Wednesday informed customers that it’s still investigating the impact of CVE-2022-0778 on its products, but the company has so far confirmed that PAN-OS, the GlobalProtect app, and the Cortex XDR agent software contain a vulnerable version of OpenSSL. Fixes are being developed for affected products.

“For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers. This vulnerability has reduced severity on Cortex XDR agent and Global Protect app as successful exploitation requires an attacker-in-the-middle attack (MITM),” the company explained.

F5 says the OpenSSL vulnerability affects BIG-IP and Traffix products and it’s working on patches. BIG-IP is only affected if specific configurations are used.

Check Point has also confirmed that several of its products are affected and the company has released patches.

Sophos says the vulnerability impacts its Firewall, UTM and Web Appliance products. The company’s advisory informs customers that fixes are scheduled for late March and April.

Other cybersecurity vendors that are currently investigating the impact of CVE-2022-0778 include SonicWall and Pulse Secure.

QNAP published an advisory this week to inform customers that several versions of its QTS, QuTS and QuTScloud operating systems for NAS devices are affected. The storage solutions provider is working on patches.

The developers of the VyOS open source router and firewall platform have also confirmed that version 1.3.0 is affected. The OpenSSL component has been updated with the recent VyOS 1.3.1 release.

AWS has also released a brief security bulletin, informing customers that it’s aware of the issue and investigating impact on its services.

NetApp has also identified over a dozen affected products and it has started releasing patches.

Red Hat initially said it was not directly affected by the flaw, but further investigation revealed that some versions of Red Hat Enterprise Linux are vulnerable to DoS attacks. Other Linux distributions have also released advisories.

Related: OpenSSL Vulnerability Can Be Exploited to Change Application Data

Related: Companies Release Security Advisories in Response to New OpenSSL Vulnerabilities

Related: Three New Vulnerabilities Patched in OpenSSL

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.