Is your organisation patching the critical OpenSSL vulnerability?

I would posit that most organizations that are on recent enough software to be using Openssl 3.x over 1.1.1 or older are in the culture of updating things extremely often, so patching shouldn't be an issue.

Older deployments would be on 1.1.1, which this does not affect.

No. A few months ago, in our security Slack channel we reported of vulnerabilities in a few of our micro services regarding vulnerable cyphers being used… security team didn’t do anything. I doubt they’ll do something about OpenSSL in our systems. We operate in around 10 countries, millions of customers. Valued in a few billion dollars.

We don't have any machines with a new enough distro to be bundled with OpenSSL 3.x.

What I'm wondering about is more along the lines of: How many years until Enterprise grade solutions will have fixed this?

Last time it took Fortinet over 6 years to fix the publicly known backdoor/bypass, and they were the reason for the majority of hacks in 2021 because of that.

I fear the next couple years the monoculture in Enterprise IT will experience the same thing all over again, because their bought supply chain doesn't care much about RCEs like this.

It doesn't look like we'll be affected (we don't have anything that uses 3.x and the golang updates seem to be unrelated). I'm still going to monitor things on Tuesday, just in case.

LOL. I just checked and even Arch isn't using 3.0 yet. Although I did once attempt to run a Github-compiled flash replacement and failed because it was linked with 3.0

I don’t know, but I wonder if OpenSSH is affected too?

I am still using OpenSSL 1.0.x and it does not seem to be impacted, so no I will not.

ECDH is anyway unsafe and easily cracket.

ECDH is anyway unsafe and easily cracked.

Just in time for devil's night -- Chris Krebs is gonna be PISSED

Edit: I don't have an organization.