OpenSSL is a popular open-source cryptographic library that allows for secure communication between computer networks and is widely used for traffic encryption on the internet. On Tuesday, October 25, 2022, the OpenSSL Project announced that on November 1, 2022, between 1300 and 1700 (1:00 pm and 5:00 pm) UTC they will be releasing OpenSSL version 3.0.7. This new version of OpenSSL is a security-fix release that will fix a critical vulnerability within the open-source cryptographic library but will not affect OpenSSL versions before 3.0.
According to the OpenSSL Project, a vulnerability that has a severity level of critical “affects common configurations…which are also likely to be exploitable.” However, the details pertaining to the critical vulnerability have not been disclosed due to their policy of keeping such critical vulnerabilities private. But Mark J. Cox, an OpenSSL Project team member, expresses to users that attackers are unlikely to search for and discover the vulnerability before the fixed version is widely deployed due to “the number of changes in 3.0 and the lack of any other context information.”
In 2014, OpenSSL addressed and fixed the Heartbleed vulnerability in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability allowed attackers on the internet to access the memory of the systems utilizing the vulnerable version of OpenSSL This vulnerability allowed for access to sensitive information such as usernames, passwords, and tokens. Given this past occurrence and the impact it had on the users, it’s imperative that users stay vigilant and prepared to patch their systems upon the release of the new OpenSSL version.
Due to the implementation and importance of OpenSSL across various organizations in many industries and the unknown impacts of this critical vulnerability, the Converge / CBI, A Converge Company security team will continue to monitor for developments and determine if any actions are required.
Potentially, hardware devices, operating systems, and software applications utilizing OpenSSL for secure communications.
Inventory instances of OpenSSL within network infrastructure.
Prepare to install a new version of OpenSSL upon the version release in a timely and efficient manner.