peshkova - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Critical OpenSSL patch coming Thursday

The OpenSSL project team will release a critical patch on Thursday and experts warn admins that the upgrade process could take days or weeks to complete.

The OpenSSL project team described as "high severity" a vulnerability that will be addressed in a new patch slated for this week. The nature of the vulnerability has not been revealed, but experts suggest that system admins be prepared for a potentially lengthy upgrade process.

According to the announcement, the July 9 release will address OpenSSL versions 1.0.2d and 1.0.1p. The flaw does not affect versions 1.0.0 or 0.9.8.

While the specifics of the vulnerability have not yet been made available, the OpenSSL project categorizes "high severity" flaws as those that include server denial-of-service, a significant leak of server memory and remote code execution.

Experts warn that once the patch is released, it will be a race between admins patching systems and attackers leveraging the flaw because, depending on the size of an organization, this upgrade could take weeks to complete and requires rigorous quality assurance. Morey Haber, vice president of technology at BeyondTrust, suggested admins use Heartbleed as a guide for how long this remediation may take.

Dr. Chase Cunningham, threat intelligence lead at cloud hosting provider FireHost Inc., noted the time necessary should not be long at smaller scales, but said it will take a long time to do it correctly on a larger scale.

"Keep in mind if you miss one channel, you have compromised the integrity of the entire communications channel, which could lead to follow-on hacks," Cunningham said. "It could be a day for something small or months for some huge enterprise.  And the QA process is hard to do as you need to pen test everything after the patch to make sure you didn’t miss something that could be critical."

Cunningham also suggested that companies may benefit from moving past SSL altogether, because for those still reliant on SSL, "it's basically too late. They need to move to at least TLS and start also encrypting everything possible both at rest and in transit. Not doing so negates the whole encryption process off the bat and leaves too many holes," Cunningham said. 

This takes time, Cunningham said, "but the hackers are after the data and communication channels. Making it hard for them to intercept and gain access to those data stores should be priority over just jumping through the next SSL patch cycle shuffle."

Next Steps

Learn about addressing Windows Server SSL/TLS flaws.

Dig Deeper on Microsoft Patch Tuesday and patch management