How to Detect and Auto-Upgrade OpenSSL Today

On Monday (22nd of March 2021), the OpenSSL Software Foundation pre-announced their next release for this Thursday (25th of March 2021) which stated that “The highest severity issue fixed in this release is HIGH”. For OpenSSL, HIGH, the second-highest of their severity levels. With OpenSSL being present on the majority of HTTPS websites and endpoints on the internet, an upgrade at a high priority is significant.

One of the greatest challenges facing the IT Operations world is detecting new releases and reacting to them before others can exploit them.

For example, with the recent Microsoft Exchange zero-day exploits, active mass-scanning began only hours after the emergency patch was released giving a very small window of reaction for operations professionals.

It is clear that this cat and mouse game is becoming harder to keep up with so we need to adopt a new approach. So what can we do? Enter automation...

Working with one of our larger customers this week, we prototyped how we could do two things:

1. Automatically and constantly compare deployed versions of software (in this case OpenSSL) against the current version released by the vendor and trigger immediate alerts when a version is out of date.
2. Where appropriate, trigger an immediate upgrade of the software in non-critical systems such as test, development or other systems.
   
   
   

Watch the video of the OpenSSL Version Detection and Auto-Upgrade End to End Scenario >>

Constant version detection of OpenSSL

We deployed an Avantra custom check to verify, on a daily basis, the current OpenSSL version on Unix servers and compare it to the latest public version within the OpenSSL Github repository. This would trigger an alert that highlighted that immediate action is required.

Automated software upgrades

Once you know that software is out of date, you’re likely already behind the curve in response time so, where possible, you should add automation as a reaction. This doesn’t need to be a full upgrade of the software but, at least, trigger the change and approval workflow allowing for the work to be completed during the next available maintenance window.

We proved this scenario by linking our detection of an out of date version to an Avantra automation that downloads and applies the latest version of OpenSSL.

This is just one example of how you can speed up your reaction times for scenarios where time is of the essence (e.g. security). Anything you can do in the process of Detection, analysis and reaction will help secure your business and also reduce manual effort.