OpenSSL-2022
betterscan-ce
OpenSSL-2022 | betterscan-ce | |
---|---|---|
21 | 34 | |
531 | 686 | |
0.0% | - | |
10.0 | 7.3 | |
over 1 year ago | 24 days ago | |
Python | ||
MIT License | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
OpenSSL-2022
-
OpenSSL CVE Remediation?
NCSC-NL is keeping an up to list of affected software here: https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software. Salesforce is not mentioned but if their servers were using 3.0–3.6 I'd expect them to be upgraded already.
- M365 Defender Vulnerability Management - OpenSSL
- Overview of software (un)affected by the OpenSSL vulnerability
- List of software (un)affected by OpenSSL vulnerability
-
CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
NCSC is calling it SpookySSL but I think it is just for funsies. https://github.com/NCSC-NL/OpenSSL-2022
- SSL RCE Vulnerability
- Security issue with OpenSSL
- OpenSSL 3.0.7 - CVE-2022-3602
-
OpenSSL 3.0.7 Published
I'm oversimplifying it a bit, but anything that hasn't reached stable this year is still using v1.1.1 (and therefore unaffected).
Ubuntu v22.04 is vulnerable, but any before it is not. Debian is good (except bookworm which is currently in testing), Fedora (<36) is good, RHEL/CentOS (<9), Arch...
So on top of being not as serious as Heartbleed, servers that are a bit longer in operation (but still well within their support cycle) don't need patching.
https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software
- Urgent: Patch OpenSSL on November 1 to avoid “Critical” Security Vulnerability - GlobalSign
betterscan-ce
-
Cloud and Code Security - betterscan.io
More on the website: www.betterscan.io
-
Do you SLSA or SBOM in your SDLC?
Maybe you will find https://github.com/marcinguy/betterscan-ce useful (scans SBOMs and Dependencies, apart from Code and IaC).
-
SBOM and dependencies check tool and vulnerabilities database from Google
P.S I also added it to my Security Automation/Orchestration project, it was missing there: https://github.com/marcinguy/betterscan-ce Hope it helps somebody.
-
Nosey Parker: a new scanner to find misplaced secrets in textual data and Git history
Congrats on release. Feel free to check out https://github.com/marcinguy/betterscan-ce It is not that fast, but detects 166+ secret types (modified trufflehog3) and also bugs and vulnerabilities in Code and Cloud setups.
-
OpenSSL 3.0.7 Published
If you want to scan binary to see if this uses vulnerable version, use this YARA rule: https://github.com/marcinguy/betterscan-ce/blob/master/analy...
Courtesy of Akamai.
If you don't know YARA tool, you can run this command in the folder where your binary is (it will install everything needed):
sh <(curl https://dl.betterscan.io/cli.sh)
Hope that helps somebody
-
Text4shell CVE-2022-42889 scan
More: https://github.com/marcinguy/betterscan-ce
- Asking for feedback about my business website
- PMD Apex Code Scanner with integration with CLI output (HTML, JSON, Terminal) or Platform
- Open Source (with Professional paid version) Apex Scanning Tool for Salesforce for Security, Quality and Best practices using PMD with many other checks (incl. secrets)
- Checkov + Kubescape + Code checks unified in one interface/UI or output
What are some alternatives?
rustls - A modern TLS library in Rust
awesome-guidelines - A curated list of high quality coding style conventions and standards.
CVE-2022-3602
osv-scanner - Vulnerability scanner written in Go which uses the data provided by https://osv.dev
OpenSSL - TLS/SSL and crypto library
noseyparker - Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.
openssl-vuln-nov-2022 - List of software impacted by OpenSSL 3.x Nov 2022 vulnerability
ThreatPlaybook - A unified DevSecOps Framework that allows you to go from iterative, collaborative Threat Modeling to Application Security Test Orchestration
osv.dev - Open source vulnerability DB and triage service.
trufflehog - Find and verify secrets
leaky-repo - Benchmarking repo for secrets scanning