Ask HN: Is your organisation patching the critical OpenSSL vulnerability?

16 points by andrewstuart ↗ HN
I'm wondering how many organisations aren't really aware yet of how serious this is.

"OpenSSL warns of critical security vulnerability with upcoming patch

We don't have the details yet, but we can safely say that come Nov. 1, everyone -- and I mean everyone -- will need to patch OpenSSL 3.x. "

https://www.zdnet.com/article/openssl-warns-of-critical-security-vulnerability-with-upcoming-patch/

14 comments

[ 3.3 ms ] story [ 41.2 ms ] thread
Just in time for devil's night -- Chris Krebs is gonna be PISSED

Edit: I don't have an organization.

I don’t know, but I wonder if OpenSSH is affected too?
I am not privileged to the private information, but openssl isnt so useful in a standalone library, so I imagine that its going to be affecting quite a lot of ssl programs.

It may even extend to boring ssl.

I am still using OpenSSL 1.0.x and it does not seem to be impacted, so no I will not.
No. A few months ago, in our security Slack channel we reported of vulnerabilities in a few of our micro services regarding vulnerable cyphers being used… security team didn’t do anything. I doubt they’ll do something about OpenSSL in our systems. We operate in around 10 countries, millions of customers. Valued in a few billion dollars.
Depending on context, "vulnerable ciphers" often lead to high priority vulnerability alerts that aren't a significant threat in practice. For example, best security practice would have disabled tls 1.0 years ago but most major services only did this in the past year as they dropped internet Explorer support. That's a long way from an actual breach and further still from a potential potential rce.
Yeah, our last pentest report had a bunch of "vulnerable ciphers" listed. I responded by showing that Google, Amazon, and the pentesting company's own sites all used the same ciphers that they flagged.
ECDH is anyway unsafe and easily cracked.
ECDH is anyway unsafe and easily cracket.
It doesn't look like we'll be affected (we don't have anything that uses 3.x and the golang updates seem to be unrelated). I'm still going to monitor things on Tuesday, just in case.
I would posit that most organizations that are on recent enough software to be using Openssl 3.x over 1.1.1 or older are in the culture of updating things extremely often, so patching shouldn't be an issue.

Older deployments would be on 1.1.1, which this does not affect.

We don't have any machines with a new enough distro to be bundled with OpenSSL 3.x.
What I'm wondering about is more along the lines of: How many years until Enterprise grade solutions will have fixed this?

Last time it took Fortinet over 6 years to fix the publicly known backdoor/bypass, and they were the reason for the majority of hacks in 2021 because of that.

I fear the next couple years the monoculture in Enterprise IT will experience the same thing all over again, because their bought supply chain doesn't care much about RCEs like this.

LOL. I just checked and even Arch isn't using 3.0 yet. Although I did once attempt to run a Github-compiled flash replacement and failed because it was linked with 3.0