In this article:
Name in API: openssl_critical_vulnerability
No severity: Informational
Decay window: 45 days
Factor: Application Security
Factor weight: Medium
Why this matters
We detected a version of OpenSSL with a high-severity vulnerability, which could expose this organization to denial-of-service (DoS) attacks that could disrupt its internet-based services, or remote code execution, which could enable threat actors to remotely control devices in this in this network for malicious purposes.
OpenSSL (secure socket layer) is an open-source software library for applications that anonymize communications over computer networks and prevent malicious eavesdropping from threat actors. It is widely used by internet servers, including most HTTPS websites.
On November 1, 2022, the OpenSSL project published an advisory about two high-severity vulnerabilities for versions 3.0.0 through 3.0.6:
- CVE-2022-3786, if exploited, can allow a threat actor to launch a denial-of-service (DoS) attack using malicious email.
- CVE-2022-3602, if exploited, could also result in a DoS attack or remote code execution.
How we discovered it
We detect this issue by identifying affected versions of SSL running on open ports in the HTTP response headers of IPs assets that we scan.
How you can remediate it
Check the versions of any SSL instances running on IPs listed in the Findings table for the issue type description in your Scorecard.
Update vulnerable versions to the 3.0.7 patch, available on the OpenSSL site.
How you can resolve it in SecurityScorecard
When submitting a Resolution request, ensure you include supporting evidence where necessary. This will help us ensure that your issue is resolved in a timely manner. See the following options for resolving the findings:
I have fixed this
Indicate that you have applied the patch.
I have a compensating control
Indicate if you have backported the operating system for the server that uses the OpenSSL library. In that case, the server's header may not reflect the current version of OpenSSL.
This is not my IP or domain
Indicate that the affected assets do not belong to your organization.
Note: To prevent future findings on specific assets, manage these assets in your Digital Footprint.
I cannot reproduce this issue and I think it is incorrect
Provide evidence that you have applied the 3.0.7 patch or that you are not running unpatched versions of OpenSSL 3.0.0 through 3.0.6.