Tuesday will likely be a busy day for many IT and security teams, as the OpenSSL Project plans to release a new version that fixes an unspecified critical vulnerability.
The bug affects version 3.0.x of OpenSSL, and not the older 1.1.1 branch. But OpenSSL is embedded in myriad operating systems, applications, and other libraries, some of which may not be immediately obvious. Security researchers are advising enterprise teams to spend some time before the patched version comes out Tuesday figuring out where exactly they might have exposure.
“In short: This is something you will need to worry about! The update will only affect OpenSSL 3.0.x, not 1.1.1. Now is the time to figure out where and how you are using OpenSSL 3.0.x. For most systems, you will be able to use the openssl command line utility,” Johannes Ullrich of the SANS Institute said in a post on the bug.
The OpenSSL Project published an advisory about the forthcoming vulnerability disclosure on Oct. 25, simply warning that version 3.0.7 will fix a critical security issue. But that was enough to set off alarm bells in the security community, given the history of critical security bugs in OpenSSL, and the way in which the project defines a critical vulnerability.
“This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations,” the OpenSSL definition says.
The warning this week brought up not-so-pleasant memories of Heartbleed, the vulnerability that affected OpenSSL’s implementation of TLS/DTLS and allowed an attacker to use a special technique to recover secrets such as encryption key material, passwords, and other sensitive data. Heartbleed affected a huge range of applications and Linux distributions and caused months of headaches for security teams trying to find and patch all of the vulnerable systems.
The OpenSSL Project plans to release the new version on Tuesday between 1 PM and 5 PM UTC.