OpenSSL critical security vulnerability with upcoming patch - fix Due Nov 1

A critical #vulnerability has been discovered in current versions of OpenSSL and will need to be #patched immediately. The OpenSSL Project will release version 3.0.7 on Tuesday, November 1st, 2022 between 1300-1700UTC. The vulnerability does not affect versions before 3.0. This is a critical patch update that needs to be done immediately (https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html)

OpenSSL is a software library that is widely leveraged to enable #secure network connections. Everyone depends on OpenSSL. To unpack that for you a little bit OpenSSL is what makes it possible to use secure Transport Layer Security (TLS) on Linux, Unix, Windows, and many other operating systems. It's also what is used to lock down pretty much every secure communications and networking application and device out there.?If you’re using HTTPS, chances are you’re using #openssl .

How bad is "Critical"? According to OpenSSL, an issue of?critical severity?affects common configurations and is also likely #exploitable.?It's likely to be abused to disclose server memory contents, and potentially reveal user details, and could be easily exploited remotely to compromise server private keys or execute code execute remotely. So, this is something almost everyone needs to be aware of.

OpenSSL Project defines a critical vulnerability as :?

“CRITICAL Severity. This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.”?

As is pretty standard in these security situations, specifics are not available as to what the exact threat is or where the weakness may lie because they’re trying to avoid tipping off opportunistic bad actors that could exploit the vulnerability before it’s patched.??

And the point of this notification isn’t to trigger panic, there’s no point panicking – this just requires vigilance.?

There is another little silver lining in this dark cloud. This new hole only affects OpenSSL versions 3.0.0 through 3.0.6. So, older operating systems and devices are likely to avoid these problems. For example,?Red Hat Enterprise Linux (RHEL) 8.x and earlier and Ubuntu 20.04?won't be smacked by it.?The OpenSSL Project will also issue?OpenSSL version 1.1.1s, dubbed a bug-fix release, on November 1. The project said that version 1.1.1, which it replaces, is not vulnerable to the CVE resolved in 3.0.

If you're a?Linux?user, you can check your own system by running the shell command:?

# openssl version

Companies that dealt with Heartbleed should know where their OpenSSL installations are located and which vendor products need to be updated.? Openssl might be included in anything that securely communicates with the Internet.

Searching through the Shodan for the #openssl version 3.0.0 1,126,138 known assets will be affected due to unpatching. The top five countries are United States of America ????, Japan ????, Australia????, Germany???? and Canada ????.

If you're using anything with OpenSSL version 3.x in -- anything -- get ready to patch on Tuesday November 1 between 13:00-17:00 UTC . This is likely to be a bad #security hole, and #exploits will soon follow. You'll want to make your systems safe as soon as possible. Fingers crossed ??. Happy good patching.