OpenSSL has released security updates to fix several vulnerabilities. The remote attacker could exploit these vulnerabilities to take control of the affected system.
OpenSSL is an open-source command-line tool commonly used to generate private keys, create CSRs, install your SSL/TLS certificate, and identify certificate information.
OpenSSL is available for most Unix-like operating systems (including Linux, macOS, and BSD) and Microsoft Windows, and it’s widely used.
Samples of the addressed vulnerabilities:
OpenSSL code execution (CVE-2022-2274):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
Vulnerabilities
- CVE-2022-2274
- CVE-2022-2097
- CVE-2022-2068
Mitigations
- The enterprise should deploy this patch as soon as the testing phase is completed. https://www.openssl.org/news/secadv/20220705.txt
- EG-FinCIRT constituents should confirm with vendors if they are using OpenSSL in their products and ensure the used version is not vulnerable.