Cybersecurity vendors assess the impact of the recent OpenSSL vulnerability

Cybersecurity, cloud, storage and other providers are assessing the impact of a recent OpenSSL vulnerability on their products and services.

Updates released by the OpenSSL project earlier this month fix a high-level Denial-of-Service (DoS) vulnerability related to certificate parsing.

The vulnerability tracked as CVE-2022-0778 and reported by Google vulnerability researcher Tavis Ormandy, affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was fixed with the release of versions 1.0.2zd, 1.1.1n and 3.0.2.

Exploitation of the vulnerability is possible in certain situations and can lead to a DoS attack on a process that parses externally provided certificates.

[ READ: Evolution of OpenSSL Security After Heartbleed ]

Technical details and at least one PoC (proof-of-concept) exploit are publicly available, and companies whose products and services are based on OpenSSL have started evaluating its impact.

Palo Alto Networks informed customers Wednesday that it is still investigating the impact of CVE-2022-0778 on its products, but the company has so far confirmed that PAN-OS, the GlobalProtect app, and the Cortex XDR agent software are vulnerable Version of included OpenSSL. Fixes are being developed for affected products.

“For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances, as well as Prisma Access customers. This vulnerability has reduced the severity of the Cortex XDR agent and the Global Protect app as successful exploitation requires an attacker-in-the-middle attack (MITM),” the company explained.

According to F5, the OpenSSL vulnerability affects BIG-IP and Traffix products and is being patched. BIG-IP is only affected when certain configurations are used.

Check Point has also confirmed that several of its products are affected and the company has released patches.

According to Sophos, the vulnerability affects its firewall, UTM and web appliance products. The company’s advisory informs customers that bug fixes are planned for late March and April.

Other cybersecurity vendors currently investigating the impact of CVE-2022-0778 include SonicWall and Pulse Secure.

QNAP released an advisory this week to inform customers that multiple versions of its QTS, QuTS, and QuTScloud operating systems for NAS devices are affected. The storage solutions provider is working on patches.

The developers of the open source router and firewall platform VyOS have also confirmed that version 1.3.0 is affected. The OpenSSL component has been updated with the latest version of VyOS 1.3.1.

AWS has also released a brief security bulletin informing customers that the issue is known and investigating the impact on its services.

NetApp has also identified over a dozen affected products and has begun releasing patches.

Red Hat initially said it was not directly affected by the bug, but further investigation revealed that some versions of Red Hat Enterprise Linux are vulnerable to DoS attacks. Other Linux distributions have also published advisories.

Related: OpenSSL vulnerability can be exploited to modify application data

See also: Companies Release Security Advisories in Response to New OpenSSL Vulnerabilities

See also: Patched three new vulnerabilities in OpenSSL

view counters

Edward Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a journalism career as a security news reporter at Softpedia. Eduard has a bachelor’s degree in industrial computer science and a master’s degree in computer techniques applied in electrical engineering.

Previous columns by Eduard Kovacs:
tags:

About Willie Ash

Check Also

10 big announcements from Red Hat Summit 2022

IBM subsidiary Red Hat used its annual summit event to whet the appetite of developers …