Discover up-to-date information, tools, and assistance to help you get a handle on the OpenSSL 3.x vulnerability
OpenSSL is the core open-source library that implements SSL and TLS protocols which makes it possible to securely communicate over the internet.
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).
In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Reported by Viktor Dukhovni.
OpenSSL versions 3.0 through 3.0.6 are vulnerable. The commonly deployed OpenSSL 1.1.1 is not vulnerable.
To help the security community during these challenging times, we are opening up free access to our industry-leading Enterprise TruRisk Platform that can help organizations inventory and scan all systems with vulnerable versions of OpenSSL. Our unified platform brings together Cybersecurity Asset Management, Vulnerability Management Detection & Response, Patch Management, Web Application Scanning, Container Security and Custom Assessment and Remediation. Free 30-day trial
Find and manage cybersecurity risks in IT assets. Qualys CSAM continuously inventories assets, applies business criticality and risk context, detects security gaps, and responds with appropriate actions to mitigate risk.Learn more
Quantify risk across vulnerabilities, assets, and groups of assets to help your organization proactively mitigate risk exposure and track risk reduction over time.Learn more
Streamline and accelerate vulnerability remediation for all your IT assets. Qualys Patch Management automatically correlates vulnerabilities to patch deployments so you can remediate quickly, proactively, and consistently.Learn more
Leverage Qualys WAS for continuous detection of vulnerabilities and misconfigurations, using automated scanning and testing of all your web apps and APIs.Learn more
Qualys CAR allows security practitioners to quickly create and execute custom scripts and controls to directly remediate and improve the security posture of any system or applicationLearn more
We are continuously monitoring all our environments for any indication of active threats and exploits. With these measures, we are confident that necessary mitigations and remediation are in place to block and prevent any exploits of OpenSSL and there is no impact on Qualys scanners, Cloud Agent, systems or customer data. We will continue to monitor our environment around the clock and implement additional measures as required.