Version 3.0.7 of OpenSSL is expected to be released on November 1 to fix a critical vulnerability that has not yet been made public. The vulnerability resides in currently used versions of OpenSSL. After full disclosure of the vulnerability, its likelihood of being exploited will determine how quickly organizations must address the issue.
Following OpenSSL’s announcement this week, many vendors have started waiting for the update and the vulnerability details. Only versions 3.0.0 through 3.0.6 of OpenSSL are vulnerable; therefore, older operating systems and devices will likely not be affected.
The last critical vulnerability to impact OpenSSL was Heartbleed (CVE-2014-0160), disclosed in 2014. The Heartbleed vulnerability allowed attackers to steal data, impersonate devices and listen to communications stealthily.
All businesses will be under pressure to fix the problem as soon as possible if the new vulnerability is similar to the Heartbleed.
How Critical is It?
According to OpenSSL, the critical vulnerability allows for severe disclosure of the server’s memory contents and possible user information. Threat actors can remotely exploit these flaws to compromise the server’s private keys.
What Can Be Done?
Numerous modern operating systems, including Ubuntu 22.04 LTS, macOS Mavericks, and Ventura, use OpenSSL version 3.0, the most recent version. Organizations need to determine whether they are using a vulnerable version and how long it would take them to fix the problem.
OpenSSL might be included in anything that securely communicates with the Internet. Hardware might also be impacted in addition to software. Firms that have dealt with Heartbleed should know where their OpenSSL installations are located and which vendor products need to be updated.
In the absence of any evidence of exploit activity details, the recommended strategy for enterprises is to follow their own management procedure for when a known update is on the way.
The OpenSSL Project will also issue OpenSSL version 1.1.1s, dubbed a “bug-fix release,” on November 1. The project said that version 1.1.1, which it replaces, is not vulnerable to the CVE resolved in 3.0.