At a glance.
- OpenSSL patched today.
- Misconfiguration risk to US government networks' security and compliance.
- Hacking Ms Truss's phone.
- Assistance for Ukraine's cyber defense.
- DNS threats.
OpenSSL patched today.
Today, November 1st, OpenSSL is releasing a patch for a critical vulnerability in OpenSSL versions 3.0.0 and above. While the OpenSSL Project hasn’t released details about the flaw, Akamai notes that observers are taking it very seriously due to the rarity of a critical flaw in OpenSSL: Akamai sees an analogy with Heartbleed. “This vulnerability has caused concern in the security community because it is unusual for the OpenSSL team to rate a vulnerability as critical. There has only been one in the past, in 2014 – Heartbleed. When exploited, Heartbleed led to a memory leak from the server to the client or the other way around." Researchers at Nucleus point out that while the vulnerability may be severe, the threat may not be as widespread as some headlines suggest, since most organizations are still running OpenSSL 1.x or 2.x. For more on the implications of the OpenSSL vulnerability and its patch, see CyberWire Pro.