Today, the OpenSSL team released OpenSSL version 3.0.7. This release includes fixes for two noteworthy “High” severity vulnerabilities (CVE-2022-3786 and CVE-2022-3602) that affect all versions of OpenSSL 3.0.0 up to 3.0.6. Security teams are encouraged to find relevant OpenSSL versions and upgrade to 3.0.7 as quickly as possible.
What is OpenSSL?
OpenSSL is a toolkit supporting secure communications in web servers and applications. As such, it’s a vital ingredient in the Transport Layer Security (TLS) protocol, which ensures data sent over the internet is kept safe from prying eyes.
Why should you be concerned?
This was initially announced as a “Critical” vulnerability coming in OpenSSL, but after the disclosure, it’s been downgraded to “High.” Based on details provided by the OpenSSL team, the circumstances required for the vulnerability to be exploited are less likely to occur than originally thought. Both CVE-2022-3786 and CVE-2022-3602 should still be patched even though they have been downgraded. The last serious vulnerability in OpenSSL was the notorious Heartbleed bug eight years ago.
The challenge is finding it
The key to reducing your organization’s risk is to find and patch or otherwise mitigate any affected implementations as soon as possible. But the challenge in patching widely used third-party open-source libraries like OpenSSL is to find all the places where it exists across the enterprise.
OpenSSL is source code that software vendors have to compile, which is potentially distributed in various ways from statically inside their program to dynamically linked resources. These types of dependencies are difficult (or in many cases impossible) for traditional vulnerability scanners. That’s why discovery requires a multi-layered approach.
How can Tanium SBOM help?
Tanium has recently released a new capability called Tanium Software Bill of Materials (SBOM) to help customers identify third-party libraries associated with software packages. Tanium SBOM is an addon to Tanium Asset.
Tanium SBOM utilizes a single Tanium agent to deliver real-time visibility into complex software environments, enabling your organization to make better-informed decisions around managing endpoint risk.
After configuring Tanium SBOM, you’ll know the details about every software application in your environment, and where vulnerable packages exist. Ask Tanium SBOM a simple question, and you’ll get an answer from across your environment — at scale and in just seconds.
Watch this short demo video to see how Tanium SBOM can address the OpenSSL vulnerability.
How to use Tanium SBOM to address OpenSSL
With Tanium, you’ll be able to:
- Understand every software component at runtime, uncovering software packages and breaking them apart to examine all constituent components without engaging the software vendor. It can probe thick client files and see inside thin client environments.
- Address vulnerabilities or misconfigurations found in those components.
- Take action to mitigate risk by stopping the use of an impacted device, killing relevant processes, or even removing apps completely across affected endpoints.
The Tanium Converged Endpoint Management (XEM) platform can find and remediate vulnerabilities like the ones found in OpenSSL v3 today, and it can better arm your organization for the next supply chain vulnerability that comes.
You can find more information, including how to identify OpenSSL in your environment in our Tanium Community article.
We’ll be following the developments in this vulnerability closely. Keep checking back here, and our Tanium Community article as more information becomes available.