Self-hosted users can enable this feature by applying the v3.2.6 (or later) update and rescanning their environment. We shipped initial support for remote OpenSSL version detection in runZero version v3.2.6 on Sunday, October 30th, and scans run by our SaaS users after this time will report OpenSSL in the software inventory along with the version number when possible. You can use runZero to discover vulnerable 3.0.x versions of OpenSSL in your environment. How to find vulnerable OpenSSL 3.0.x in your network The OpenSSL project team put together a thorough blog post that covers the details. What are the details around these vulnerabilities? The runZero operations team is ensuring that appropriate updates and mitigations are being rolled out to all of our supporting systems, including endpoints, infrastructure, and supporting services. The runZero platform does not use OpenSSL. Is runZero affected by these OpenSSL vulnerabilities? OpenSSL 1.x versions do NOT contain these vulnerabilities. The OpenSSL project team fixed these vulnerabilities in OpenSSL 3.0.7. ![]() Attackers can exploit these vulnerabilities to cause a denial-of-service by crashing applications/services ( CVE-2022-3786, CVE-2022-3602) or potentially achieve remote code execution ( CVE-2022-3602). These vulnerabilities exist within X.509 certificate verification (specifically within name constraint checking logic) and affect both client and server side applications. The OpenSSL project team recently patched two buffer overflow vulnerabilities that affect 3.0.0 through 3.0.6 releases of OpenSSL.
0 Comments
Leave a Reply. |