Experts first categorized this as a critical-level vulnerability comparable to the Heartbleed bug almost a decade prior. Upon release, OpenSSL announced that it actually patched two separate high-severity vulnerabilities.
These security flaws now have CVE numbers and can be tracked by threat intelligence services:
In both cases, one of two things must happen for the exploit to work: Either Certificate Authorities sign the malicious certificate or the app continues verification despite failing to reach a trusted issuer.
Since the vulnerabilities cannot easily be exploited through common remote code execution scenarios, OpenSSL downgraded them from Critical to High severity.
Only email-capable systems performing a specific type of certificate authentication running OpenSSL 3.0.0 and above are impacted.
OpenSSL 3.0.0 was originally released in September 2021. That means systems that have implemented or upgraded OpenSSL since that date may be affected. This includes popular runtime environments like Node.js 18 and 19 and other third-party solutions that use OpenSSL.
They rely on buffer overflows triggered by email servers running X.509 certificate verification. That means affected systems must be email servers, email security gateway applications, or email clients. Many platforms have their stack overflow protections that can mitigate these risks, but upgrading to the current patch is still recommended.
Several dozen Linux distributions are known to use OpenSSL 3.0.0 and above. Systems that rely on these distributions have email capabilities and can likely be exploited using malicious x.509 certificates.
The most popular distributions affected include RHEL 9.0, Ubuntu 22.04, and Fedora 36. A full list of affected Linux distributions is available here.
The short answer is no. These vulnerabilities do not impact the issuance of SSL certificates nor their use. There is no need to revoke or reissue certificates based solely on these vulnerabilities.
Despite the severity downgrade, OpenSSL' newly reported vulnerabilities must still be addressed quickly. Security leaders need to identify what OpenSSL instances their organizations use, and patch those that are impacted.
This will test the risk quantification strategy of many cybersecurity leaders and their teams. Executives increasingly call on CISOs and their teams to translate security processes into dollars. The better security leaders understand their tech stack, the easier it will be to justify cybersecurity investment in detection and response capabilities for incidents like this one.