Recently, several cybersecurity vendors have been affected by the OpenSSL vulnerability. Read on to know how the various cybersecurity vendors are investigating this issue…
The impact of a recent OpenSSL vulnerability on cybersecurity, cloud, storage, and other vendors’ products and services is being assessed.
The OpenSSL Project issued patches for a high-severity Denial-of-Service (DoS) vulnerability linked to certificate parsing earlier this month.
The CVE-2022-0778 security flaw affects OpenSSL versions 1.0.2, 1.1.1, and 3.0, according to Google Vulnerability Researcher Tavis Ormandy. With the release of versions 1.0.2zd, 1.1.1n, and 3.0.2, the security flaw was fixed.
In some situations, the vulnerability can be exploited, resulting in a DoS attack against a process that parses externally supplied certificates.
Technical information and at least one proof-of-concept (PoC) exploit have been made public, and firms whose products and services that rely on OpenSSL have begun to assessing the implications.
Palo Alto Networks informed customers on Wednesday that it is still looking into the impact of CVE-2022-0778 on its products, but it has confirmed that PAN-OS, the GlobalProtect app, and the Cortex XDR agent software contain a vulnerable version of OpenSSL. Fixes are being developed for the products that are affected.
The company explained “For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers. This vulnerability has reduced severity on Cortex XDR agent and Global Protect app as successful exploitation requires an attacker-in-the-middle attack (MITM),”
The OpenSSL issue affects F5’s BIG-IP and Traffix products, according to the company, which is working on patches. BIG-IP is only affected if specific configurations are used.
Check Point has also acknowledged that a number of its products are compromised, and has issued patches.
Sophos said that the vulnerability affects its Firewall, UTM, and Web Appliance products. Customers will receive the security patches in late March and April, according to the company’s advisory.
SonicWall and Pulse Secure are two more cybersecurity vendors investigating into the impact of CVE-2022-0778.
This week, QNAP issued a advisory to inform consumers that several versions of its QTS, QuTS, and QuTScloud operating systems for NAS are impacted. Patches are being developed by the storage solutions provider.
Version 1.3.0 of the VyOS open source router and firewall platform is also impacted, according to the developers. The OpenSSL component was updated with the recent VyOS 1.3.1 release.
AWS has also issued a brief security bulletin informing consumers that the security issue has been identified and that the company is examining the impact on its services.
NetApp has also identified over a dozen products that are vulnerable and has begun issuing updates.
Red Hat initially said that the vulnerability did not affect them directly, however later investigations revealed that some versions of Red Hat Enterprise Linux are vulnerable to DoS attacks. Other Linux distributions have issued advisories as well.