UPDATE (November 1, 2022, 01:55 p.m. ET): OpenSSL version 3.0.7 is out, and the severity of the vulnerability has been downgraded. Check out what you should be doing next.
The OpenSSL Project team has announced that, on November 1, 2022, they will release OpenSSL version 3.0.7, which will fix a critical vulnerability in the popular open-source cryptographic library (but does not affect OpenSSL versions before 3.0).
According to the team’s own risk classification, critical vulnerabilities in OpenSSL are those that affect common configurations and are likely to be exploitable.
“Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations,” they say.
Why does the OpenSSL Project team preannounce the release of security fixes?
The OpenSSL library is an open-source implementation of the SSL and TLS cryptographic protocols, which make secure communication across networks possible.
In 2014, when the critical Heartbleed bug was fixed, it became obvious just how much the security of computer systems, the internet as a whole, and users depends on the “good health” of this pervasive software library.
OpenSSL is included in many operating systems (Windows, macOS, various Linux distributions, etc.); client-side software; web and email server software (Apache, nginx, etc.); network appliances (Cisco, Fortinet, Juniper, etc.), industrial control systems, and so on.
With all this in mind, the OpenSSL team usually preannounces security fixes via its site and its mailing list, but also notifies directly organizations that produce a general purpose OS that uses OpenSSL, maintainers of popular open source projects that are derived from OpenSSL, and organizations with which the project has a commercial relationship. With them, they share vulnerability details and patches in advance.
Other organizations have also time to prepare:
This is good advice. If you know in advance where you are using OpenSSL 3.0+ and how you are using it then when the advisory comes you'll be able to quickly determine if or how you're affected and what you need to patch.
— Mark J Cox (@iamamoose) October 25, 2022
Cisco WSA Ironport, Symantec VIP Gateways will be in scope too. Will be interesting to see how the other SSL libraries are affected if at all: Boring, Wolf, Libre…
— ronin3510 (@ronin3510) October 25, 2022
No details have been shared with the public about the vulnerability and, according to OpenSSL core team member Mark J. Cox, attackers are unlikely to ferret out the vulnerability before the fixed version is widely deployed. “Given the number of changes in 3.0 and the lack of any other context information, [attackers successfully scouring the commit history between 3.0 and the current version] is very highly unlikely,” he opined.