OpenSSL vulnerability updates

"IT folks should prioritize applying the announced patches against their usual business needs."

In regards to the OpenSSL vulnerability updates Tod Beardsley, Security Engineering Manager at Rapid7, made several comments.

“IT folks should prioritize applying the announced patches against their usual
business needs; after all, the highest rated OpenSSL vulnerability is merely
“moderate,” and I’d expect the OpenSSL Project to err on the side of more severe
than less. While online retailers are going to be particularly sensitive to downtime
this week, anyone who can afford the time it takes to test and push patches to
production should do so. Having these issues buttoned up well before the holidays
can help with peace of mind on the off chance these issues are more severe than
initially assessed.”

Later Tod Beardsley made another statement following the OpenSSL update:

“The 0.9.8 branch of OpenSSL is a pretty popular branch, and has found itself in all
sorts of embedded, IoT devices for cryptographic functionality. It also had the
added benefit of not shipping the code vulnerable to Heartbleed. As a result of
sticking to 0.9.8 for this long, device vendors need to figure out if they will
update to the supported branches of OpenSSL, or if they will switch to another SSL
library such as the OpenBSD project’s LibreSSL or Google’s BoringSSL.

Unfortunately, neither solution — switching to OpenSSL 1.0.1 or later branches, or
replacing OpenSSL with another crypto library, is automatic nor painless. However,
device and software vendors who get ahead of the upgrade cycle now, during a
non-emergency, will be far better positioned to serve their customers and users than
the suppliers who wait until a crisis to figure out what to do with old SSL
implementations.”

Image Source: Pixbay

James Stevenson

Im a Cyber Security enthusiast that loves all things to do with technology. I'm specifically interested in cyber security and ethical hacking.

You may also like...