UPDATE: The details are out. The issue is that under certain circumstances, a hacker could get OpenSSL to accept an HTTPS certificate that is fraudulent. This does not affect the major browsers, but rather the second and third tier software that uses SSL behind the scenes. Likely, you don’t even know all the places that OpenSSL is used in your company. For more information on OpenSSL’s somewhat checkered past (Heartbleed, Poodle, Freak, etc.), read this Symantec post.
OpenSSL, the open source toolkit that allows developers to support HTTPS and which is used in millions of pieces of software has announced that they are releasing a patch on Thursday.
The rather cryptic announcement, which is the way that OpenSSL works, just says that they are releasing a fix that corrects a single flaw and that flaw is classified as “high severity”.
OpenSSL has had a string of bug fixes over the last year. The most well known of which, Heartbleed, is still being fixed by developers. After Heartbleed, more people started looking at the code and found more bugs – some of which had been lurking there for 15 years.
While we won’t know the impact of this bug until Thursday, it raises the point that we should not assume that any given piece of open source software (or closed source software either) has been critically examined by millions of eyeballs.
In fact, until Heartbleed exploded, OpenSSL had exactly one full time employee shepherding it. Of course, there were many other contributors to the project, but their level of participation is unknown.
After Heartbleed, the Linux Foundation (Linux uses OpenSSL), decided it was in their own self interest to fund staff for OpenSSL. Their funding allowed openSSL to add two more full time developers. In addition, the Linux Foundation funded the Open Crypto Audit Project to do an audit of OpenSSL.
How long the Linux Foundation will fund these positions and whether the patch coming out Thursday was a result of the audit is unknown.
What we do know is that businesses need to understand their software supply chain (i.e. that they do use products that rely on OpenSSL, which products those are, whether the vulnerabilities are great enough that they need to mitigate the threat immediately – which may include shutting down systems like the OPM did last week with their eQIP system – not clear if there is any relation between these two events) and how they plan to fix the bug.
Since most open source software does not have dedicated development teams pushing out patches, businesses need to “fend for themselves”. This is the downside of open source. Most of the time all that means is that you may or may not get a new feature at a particular time. In this case, it may be more serious.
This does not mean that you should not use open source. It is, however, a reminder to organizations that you need to manage your software supply chain. How well do you manage your software supply chain?