The OpenSSL organisation has announced patch 3.0.7, which will be released on November 1st 2022, between 13:00 and 17:00 UTC. All OpenSSL versions starting with a 3 prefix are affected.

Why is this patch important?

The patch addresses a security issue and has been categorised as CRITICAL.

A critical security patch for OpenSSL is rare – the last time we saw this was in connection with the Heartbleed vulnerability in 2014, which affected millions of users and service providers and was successfully exploited many times with significant commercial and reputational damage.

When the new patch, 3.0.7, is released, the vulnerability will become public knowledge, so there is a very small window for those running impacted infrastructure to assess the potential for exploitation and apply the patch or take mitigating action.

OpenSSL reach

OpenSSL is at the heart of much of the internet’s secure communications, and any critical security flaw will have wide-ranging consequences. OpenSSL is embedded in a vast number of appliances, software and systems, and it may not be immediately apparent that you are affected.

Pierre-Olivier Blu-Mocaer has curated a list of systems known to be reliant on OpenSSL 3.x – please note this list is not exhaustive, and you should check with your providers or security partners if you are unsure of the presence of these versions on your own estate.

Recommended actions

• Be ready to review the release notes of OpenSSL 3.0.7 on November 1st, 2022.
• Be ready to apply the patch directly, where appropriate, or as a vendor patch where OpenSSL is embedded.
• Plan for removal of internet connectivity to impacted systems, should a patch for your environment not be immediately available.
• Increase monitoring, where possible, of affected systems.

Secrutiny will be implementing rules to detect attempts to exploit the vulnerability for all of our managed security customers as soon as details are known.

If you need support with this issue, please don’t hesitate to get in touch.

Sources:
https://secrutiny.com/two-high-severity-vulnerabilities-found-in-openssl-software/
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
https://github.com/pblumo/openssl-vuln-nov-2022/blob/main/list.csv