A New OpenSSL Vulnerability Is Coming – Get Ready to Patch

On Tuesday 1st of November, between 1-5pm UTC a new version of the widely adopted OpenSSL 3.x series will be released for general consumption. The OpenSSL project announced this in their mailing list  and through twitter, also revealing the existence of a new CRITICAL security vulnerability this patch fixes.

In a twist to the usual formula the project is giving the world a week’s advance notice of the impending patching, and we all should indeed take note of it and be prepared. OpenSSL is widely considered to be a part of the critical infrastructure of the internet – among other things generating the certificates that allow websites to run over HTTPS.

At the time of writing, it also appears that only OpenSSL versions between 3.0-> 3.0.6 are affected, and this critical security vulnerability is fixed in the upcoming 3.0.7. OpenSSL 3 is widely adopted, but current surveys indicate that it’s still far outweighed by 1.x distribution that is mostly out of LTS today – and completely after September 2023.

However, there are 62 wrapper packages distributed by the world’s largest Java Open Source ecosystem – Maven Central that repackage OpenSSL.  It is more often included to a project transitively or required from the system by a piece of software. Indeed, any application that provides a web server, or uses a web server, could run on a server software that relies on an outdated version.

Historically, OpenSSL vulnerabilities have had a widespread impact – who could forget the infamous Heartbleed vulnerability that affected it. Heartbleed started the trend for naming security vulnerabilities and (Read more...)