OpenSSL has categorized the issue as critical, a designation it uses to indicate a vulnerability that “affects common configurations” and is likely exploitable. A critical issue may, in their words, lead to “significant disclosure of the contents of server memory,” potentially revealing user details, or it may be easily exploited to compromise server private keys or lead to RCE (Remote Code Execution). The exact fixes in OpenSSL 3.0.7 are unknown. The update notice does not detail the vulnerability or vulnerabilities.
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or ones that need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.
Considering how many applications rely on OpenSSL, the vulnerability may have major consequences for companies of all sizes and industries. In preparation for Tuesday's update, it is best to identify which of your systems are impacted and develop a prioritized plan for patching.
Potentially Huge Implications
If this new vulnerability proves to be another Heartbleed bug, which was the last critical vulnerability to impact OpenSSL, organizations and the entire industry will be under pressure to address it as soon as possible.
This critical vulnerability only affects OpenSSL versions 3.0.0 through 3.0.6. Older operating systems and devices are unlikely to be affected, but if you are using anything with OpenSSL 3.x, get ready to patch on Tuesday. You will want to make sure your systems are safe as soon as possible because the vulnerability will likely lead to many exploits in the near future.
Examples of Impacted Operating Systems:
- Redhat Enterprise Linux 9.x
- Ubuntu 22.04
Claus Nielsen
Claus Nielsen is the CMO of Holm Security. He has over 20 years of global executive experience, including in North America, Asia, and Europe. His previous roles include Chief Operating & Marketing Officer at KebNi AB and Global VP of Marketing at Neural Technologies.