OpenSSL announced a patch which will be released tomorrow, to cover a critical vulnerability. This is just the second such security flaw in eight years. The previous one was Heartbleed (CVE-2014-0160) - a bug that allowed to read the memory of the exposed devices and compromise the secret keys, allowing to steal the data from services and users.
The OpenSSL team announced that the new version of the software, 3.0.7, will become available on Tuesday, the 1st of November 2022, between 13:00 and 17:00 UTC. In addition, the team announced a bugfix release 1.1.1s, which will become available the same day. The severity of the issue that is being addressed is marked as critical.
Currently, there is no detailed information since additional data may help threat actors understand how to abuse it before the patch is available. So, the OpenSSL team decided to announce the scheduled release beforehand to let the IT teams start preparing and, simultaneously, leaving no chance to have this flaw used.
Also, as mentioned by a core member of the OpenSSL team, Mark J. Cox, it is doubtful that threat actors will be able to find information on how to use the vulnerability, given the number of changes in 3.0 and the lack of any other information.
Still, it is crucial to implement the patch on your environment as soon as possible if you’re using OpenSSL.
Image Credit: Photo by Chris Lynch on Unsplash