Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: an expected OpenSSL vulnerability may not be as disastrous as was predicted, but is still very real. Also: Unauthorized hackers accessed 130 GitHub repositories as a result of a Dropbox breach.
This Week’s Top Story
Two OpenSSL CVEs to pay attention to
Last week, ZDNet reported that there was a big storm coming for the application security industry. It was expected that by November 1, everyone would need to immediately begin patching for a security bug in OpenSSL 3.x that was predicted to lead to remote code execution (RCE) if not patched. Now, the issue at hand has changed. ZDNet now reports that rather than there being a sole vulnerability, OpenSSL has fixed two vulnerabilities, which are not as disastrous as was previously thought.
OpenSSL is vital for securing Transport Layer Security (TLS) on Linux, Unix, Windows and other operating systems, making the severity of this security bug all the more scary for the application security industry. Luckily, the two OpenSSL vulnerabilities, CVE-2022-3786 and CVE-2022-3602, while ranked with a high CVE score of 8.8, will not cause as many issues for the industry as previously thought. The reason why these vulnerabilities are not as catastrophic as expected is because the chances that an attacker can actually pull off RCE using these vulnerabilities is slim.
However, it is important that application security professionals take note of these vulnerabilities and check their code. These CVEs only impact OpenSSL 3.x, but it’s important for practitioners to check their containers and applications to make sure they don’t use this version of OpenSSL, even if their main operating system uses OpenSSL 1.x.
Here are the stories we’re paying attention to this week…
File hosting service Dropbox on Tuesday disclosed that it was the victim of a phishing campaign that allowed unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub.
The U.S. Army has issued a request for information (RFI) for industry feedback on approaches currently being developed to address software supply chain issues, with a focus on the “acquisition, validation, ingest, and use of Software Bills of Material (SBOMs) and closely associated matters.”
NIST advisors are debating the OMB's policy on software vendors' "self-attestation" of software security (Nextgov)
A key National Institute of Standards and Technology advisor expressed skepticism at a recent meeting about a policy that encourages agencies to accept software vendors’ security promises.
Android apps with a million play store installations redirect users to malicious sites (The Hacker News)
A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign.
Security leaders believe companies should face consequences for releasing insecure software (Developer)
According to a new study, organizations plan to invest in DevSecOps in 2023, and the level of urgency for them to do so has grown.
Image source: Alan Levine / Flickr