SBN

What the OpenSSL Vulnerabilities Are…and Aren’t (CVE-2022-3786 & CVE-2022-3602)

 

It’s been a week since we were warned about the OpenSSL vulnerability. The internet has been on fire with speculation and preemptive advertisements for all sorts of products and services.

Today we have more information about the vulnerability, including a blog article that went live with the disclosure. Sonatype has concluded a deep dive into the vulnerability and intelligence that we will be providing our Nexus Platform users ASAP.

The disclosure shows us that the vulnerability may open us up to a denial of service (DOS) attack, but it does not appear to facilitate data exfiltration or remote code execution (RCE). The original critical vulnerability is now split into two vulnerabilities ranked as “High” Severity. 

In this article, we won’t be going into detail about how the vulnerability came to be or even how to patch it (in short: upgrade to the latest). Instead, we’ll be taking a quick look at what an exploit against these two new issues could be able to do- and compare it to two other common dependency exploits.

What it is not: Data Exfiltration

When you look at OpenSSL as a tool and then take a look at a variety of “exfil” attacks… You may have spent all last week speculating that a new exfil technique has been identified. That’s understandable because Out-of-Band (OoB) attacks are common targets of public web applications and REST APIs that use OpenSSL.

Several examples of OoB attacks may be used to exfiltrate data, including delayed cross-site scripting (XSS), server side request forgery (SSRF), and even email header injection.

The thing OoB attacks have in common is that they target an unexpected source that is externally accessible. The typical solution to preventing data exfiltration, especially from OoB attacks, is a firewall with strict egress rules.

What (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Eddie Knight. Read the original post at: https://blog.sonatype.com/what-the-openssl-vulnerabilities-are-and-arent