Welcome to The Long View—where we peruse the news of the week and strip it to the essentials. Let’s work out what really matters.

This week: The OpenSSL project has egg on its face, and half of Twitter’s staff are for the chop tomorrow.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

1. Embarrassing Bug — Should Have Been Caught

First up this week: A feature added to OpenSSL just over a year ago contained two nasty bugs. While they weren’t quite as nasty as they looked last week, they’re still bad.

Analysis: C code parsers considered dangerous

What we can learn: So you’ve written or edited some code that parses input? Before you congratulate yourself, have you run a fuzzer against it?

Sergiu Gatlan: OpenSSL fixes two high severity vulnerabilities

“Tagged as vulnerable”
CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE), while CVE-2022-3786 can … trigger a denial of service state via a buffer overflow. … Per OpenSSL’s policy, organizations and IT admins have been warned since October 25 to search their environments for vulnerable instances and prepare them for patching when OpenSSL 3.0.7 is released.
…
The latest OpenSSL versions are included in the most recent releases of multiple popular Linux distributions, with Redhat Enterprise Linux 9, Ubuntu 22.04+, CentOS Stream9, Kali 2022.3, Debian 12, and Fedora 36 tagged as vulnerable. … The Netherlands’ National Cyber Security Centre [also lists Amazon Linux 2022, NetApp Clustered Data ONTAP, Node.js 18/19, Oracle Linux 8, VMware Harbor and VMware Tools].

Wait. Pause. Wasn’t this previewed last week as a sky-falling “critical” bug? Kevin Purdy mouths off:

“Patch as soon as possible”
Once signaled as the first critical-level patch since the Internet-reshaping Heartbleed bug … it ultimately arrived as a “high” security fix for a buffer overflow [that] is unlikely to lead to remote code execution. … Some Linux distributions, including Fedora, held up releases until the patch was available.
…
But this vulnerability mostly affects clients, not servers, so the same kind of Internet-wide security reset (and absurdity) of Heartbleed won’t likely follow. [And the] overflow possible with one attack overwrote an adjacent buffer not yet used. … The other vulnerability only allowed an attacker to set the length of an overflow, not the content.
…
Users of any 3.x OpenSSL implementation, however, should patch as soon as possible. And everybody should be looking out for software and OS updates that may patch these issues in various subsystems.

Channeling the OpenSSL team and adding his own analysis, it’s Marcus “@MalwareTechBlog” Hutchins:

“For your convenience we’ve not yet issued a CVE number for the bug we raised the alarm about weeks in advance. We’ve also provided a 3 hour release window to maximize vendors time spend googling random search terms in hope of figuring out wtf. Thank you for your understanding.”
…
I’d say the likelihood of exploitation is low given the complexity of the vulnerability, the fact it’s primarily client side, the requirement for the malicious cert to be signed by a trusted CA, and the small number of affected systems. … It theoretically could lead to RCE, but in practice it would be extremely unlikely. … On a 1-10 scale of was it worth the panic, I’d give it less than zero.

Ouch. And formerly_proven agrees:

CAs normally don’t let you outright construct your own certificate, and I’d expect you’ll have a hard time to get a certificate issued which is both for mail encryption (so you get an email name constraint) and TLS (SAN constraint). And servers without TLS client authentication, which is about 99.99% of them, aren’t affected. TLS client auth is usually only used in enterprise networks and typically terminated by middleboxes running ancient software anyway.

But given this is only in the rather new 3.x branch, how did it get so far? @hanno wants to know:

The … vulns are in a parser function for punycode. This is a new function … so there’s no “this is legacy baggage” excuse.
…
It is the most unsurprising thing that code to parse something … can contain buffer overflows. … The most simple fuzzer with the standard state of the art tool (libfuzzer) finds this in less than a second. [TL;DR:] OpenSSL added new C parser code — notoriously vulnerable to memory corruption — without doing any basic security testing.
…
The mistake to learn from was Heartbleed. We had all these discussions. I was there. … We seem to have lost those insights we already had [e.g.,] never add new parser code without a fuzz target.

Sick burn. Failed2Boot is at least thankful that the bugs weren’t as bad as trailed:

Well, that was a whole lotta nothin. Thankfully.

2. Musk’s Cunning Plan: Lay off 50% of Twitter

Sources say Elon will announce a huge layoff tomorrow. DevOps staff are bracing for the loss of their livelihoods.

Analysis: There goes the culture

If true, this is way more than just “cutting back dead wood.” This is the sort of change that rips at the heart of an organization’s institutional memory and its shared culture, dealing it a fatal blow. Twitter: RIP.

Edward Ludlow, Kurt Wagner and Emily Chang: Musk Plans to Eliminate Half of Twitter Jobs

“Bracing for layoffs”
Senior personnel on the product teams were asked to target a 50% reduction in headcount, a person familiar with the matter said. … According to people with knowledge of the matter, Twitter’s new owner aims to inform affected staffers Friday. … Musk also intends to reverse the company’s existing work-from-anywhere policy, asking remaining employees to report to offices.
…
Musk is under pressure to find ways to slash costs of a business for which he says he overpaid. … In the run-up to Musk’s buyout … potential investors were told that he’d eliminate 75% of the workforce. … Twitter employees have been bracing for layoffs ever since.

With some insightful analysis, here’s 50me12:

Musk, like similar folks, have managed to come up with a system where their behavior filters for a particular type of worker. If you can put up with his ****, he knows he can get more out of you—otherwise he has zero use for you.
…
Some drone working from home probably isn’t the concern as much as, “OK I made them do a thing, let’s see how much more I can do.” Anyone who didn’t do the thing he wants, he doesn’t need / want them.

And all the indications are that he’s got them pulling all nighters. yunwal has a big-ol’ smh moment:

I honestly don’t understand why anyone would be killing themselves over a job at Twitter? … It seems like there’s still a decent job market for developers. I just don’t really get why anyone would actually be working weekends [for] Elon.

The Moral of the Story:
If life were predictable, it would cease to be life—and be without flavor

—Eleanor Roosevelt

You have been reading The Long View by Richi Jennings. You can contact him at @RiCHi or tlv@richi.uk.

Image: Kenshi Kingami (via Unsplash; leveled and cropped)