On October 25, 2022, the OpenSSL project announced that OpenSSL (v3.0.7) would be released to fix a serious security flaw. On Tuesday, November 1, 2022, between 1300 and 1700 UTC, this release ought to become online.

The last critical vulnerability in OpenSSL was released in 2016.

About OpenSSL vulnerability

Although the OpenSSL project has rated this issue as serious, it has been stated that versions of OpenSSL older than 3.0 will not be affected. As a result, if you’re still using OpenSSL 3.0 or later, you shouldn’t experience any problems.

The OpenSSL project’s security policy outlines what they consider critical vulnerabilities:

In order to provide encryption, security, and privacy features, a variety of external and internal applications frequently employ open-source OpenSSL. It can be found in a variety of applications, including those that are hosted locally, in the cloud, in SaaS apps, on servers, endpoints, and IOT or OT settings. Therefore, if OpenSSL has a significant bug, there is a substantial chance of interruption.

Also read, Attackers Crash Remote Servers with New Infinite Loop Bug in OpenSSL

According to the OpenSSL Project team, the vulnerability is “critical,” and versions that are impacted must be patched to a new version of 3.0.7 or above. Only twice has an OpenSSL vulnerability been classified as “critical” (the first one being in September 2016). These vulnerabilities “impact typical configurations and are also likely to be exploitable,” according to the severity level.

The security flaw this week only affects OpenSSL versions 3.0 and up, which will reduce impacted apps. Numerous applications are still utilizing older versions of the software that do not have this new issue, even though Version 3.0 was just released on September 7, 2021, just over a year ago.

It’s likely that there are circumstances in which an application is safe from the exploitation of the new weakness even if it uses OpenSSL 3.0 or above because perhaps the vulnerability isn’t exposed in every instance. Before this can be fairly evaluated, more data are required.

What can I do up till more information is revealed?

Organizations should maintain vigilance and follow best practices for security in the interim, such as patching and updating all systems to the most recent version of the operating system. And preparing to update their intrusion prevention systems when they become available.

The Software Bill of Materials (SBOM), offers a comprehensive overview of the company’s software components. These components can be used to understand in detail where OpenSSL is utilized inside the firm.

By doing this, it will be possible to prioritize important regions and get ready for the upcoming patch.

Prepare and Fix the Critical OpenSSL 3 Vulnerability

Organizations must ensure to prioritize identifying and patching the major OpenSSL vulnerability as soon as the update to 3.0.7 is made available, which is anticipated to happen between 1300-1700 UTC on Tuesday, November 1. This is similar to Heartbleed, which was quickly exploited.