OpenSSL has categorized the issue as critical, a designation it uses to indicate a vulnerability that “affects common configurations” and is likely exploitable. A critical issue may, in their words, lead to “significant disclosure of the contents of server memory,” potentially revealing user details; or it may be easily exploited to compromise server private keys or likely lead to RCE (Remote Code Execution). The exact fixes in OpenSSL 3.0.7 are unknown. The update notice does not detail the vulnerability or vulnerabilities.
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.
Considering how many applications rely on OpenSSL, the vulnerability may have major consequences for companies of all sizes and industries. In preparation for Tuesday's update, it is best to identify which of your systems are impacted and develop a prioritized plan for patching.
Potentially Huge Implications
If this new vulnerability proves to be another Heartbleed bug, which was the last critical vulnerability to impact OpenSSL, organizations and the entire industry will be under pressure to address it as soon as possible.
This critical vulnerability only affects OpenSSL versions 3.0.0 through 3.0.6. Older operating systems and devices are unlikely to be affected. But if you are using anything with OpenSSL 3.x get ready to patch on Tuesday. You will want to make sure your systems are safe as soon as possible because the vulnerability will likely lead to many exploits in the near future.
Examples of Impacted Operating Systems:
- Redhat Enterprise Linux 9.x
- Ubuntu 22.04