The Exploit

Notes from the Front Lines of Penetration Testing

RAXIS THREAT ALERT: VULNERABILITY IN OPENSSL v3.0.x

RAXIS THREAT ALERT: VULNERABILITY IN OPENSSL v3.0.x

Written by

UPDATE: Subsequent to publication of this blog post, the OpenSSL vulnerabilities were assigned CVE-2022-37786 and CVE-2022-3602, patches were released by OpenSSL, and the threat level was downgraded from “critical” to “high.”

In the cyberworld, news of a critical vulnerability affecting OpenSSL versions 3.0 – 3.0.6 will likely be the scariest part of Halloween ’22. Especially since the OG ‘critical’ rating from OpenSLL went to the aptly named “Heartbleed” bug from 2014.

There is a lot of buzz online about this vulnerability, but here’s what we know for sure:

  • It really could be that serious. The OpenSSL project management team says it’s critical, and they are not known for crying ‘wolf’ without reason. By the organization’s standards, ‘critical’ means it may be easily exploitable, many users could be affected, and the destructive potential is high.
  • So, you definitely need to patch. OpenSSL’s software is ubiquitous in the world of security and encryption. Though 98% of instances are still version 1.1.1, the 1.5% using version 3.0.x includes some very popular Linux distributions, including Red Hat Enterprise Linux (RHEL) 9.x, Ubuntu version 22.04, and many others.
  • And you need to patch ASAP. OpenSSL is making the patch available tomorrow, November 1, beginning at 8 AM and should be complete by noon U.S. Eastern Time. According to an OpenSSL spokesman, the rationale behind announcing the vulnerability before the patch is ready is to give organizations time to identify the systems that need to be patched and assemble the resources necessary to do so.

How can you be sure that all your relevant systems are patched? Once you’ve installed the updates, a comprehensive assessment of each host can insure you’ve properly updated. As always, a Raxis penetration test can also reveal unpatched or out-of-date software from OpenSSL or any other provider. What’s more, our team can show you proof of what assets are at risk and why.


Brad Herring

Posted on

Categories:

Also by Brad Herring

Human Vs AI Pentesting

While AI tools offer speed in detecting known vulnerabilities, they fall short with 20-35% false positives and only 50-65% success on complex threats like business logic flaws, as per mainstream reports from Verizon and OWASP. Human penetration testers at Raxis deliver 85-90% detection rates, precise prioritization, and ethical adaptability, ensuring your organization stays ahead of real-world attacks.

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

Penetration Testing

Tailored, expert-led penetration testing services that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Ready to See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.