OpenSSL is patching just its second critical security flaw ever

OpenSSL is preparing to patch its first critical flaw in eight years. The OpenSSL Project have announced a new software update that should fix several vulnerabilities in the open-source toolkit, including one flaw defined as critical. 

“The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 3.0.7. This release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC.” reads the announcement. “OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL.”

“Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations,” the developers said.

Patch coming next month

The flaw impacts versions 3.0 and newer, and is the second critical vulnerability to ever be addressed by the OpenSSL Project, with Heartbleed (CVE-2014-0160) being the first one in 2014. 

The release date for the 3.0.7 version is now set for November 1. The developers describe it as a “security-fix release”. In parallel, there will be a bug-fix release, 1.1.1s, published on the same day. 

CTO of Sonatype, Brian Fox, doesn’t seem all too happy about the way OpenSSL Project addressed the issue, saying it put developers in a dangerous position: 

“All we know so far is that the issue is considered critical by the team, only the second critical vulnerability in OpenSSL since they started tracking after the Heartbleed bug and fallout in 2014. We know that this only seems to affect versions 3.0 and above, but not how broadly applicable or how easily exploitable this issue will be, and that it will be fully disclosed on November 1st.”

He then proceeds to ask three hypothetical questions: If a company learns about a new vulnerability, in the way OpenSSL Project just announced one, how long would it take for an IT pro to learn if his company is using any version of this component, anywhere in its portfolio, in which applications it’s using the affected versions, and how long before the company can remediate the problem – hinting that a potential disaster is on the horizon.

“If you aren’t able to immediately answer the three questions I posed above, you have six days to prepare,” he warns. “The clock is ticking.”

OpenSSL core team member, Mark J. Cox, on the other hand, argues that with details about the vulnerability being so scarce, the chances of crooks abusing it before it’s patched are slim. Giving IT teams a heads up as the patch arrives far outweighs the potential risks of crooks abusing the flaw, he suggests:

“Given the number of changes in 3.0 and the lack of any other context information, [threat actors going through the commit history between versions 3.0 and the current one to find anything] is very highly unlikely,” he tweeted. 

• Check out the best endpoint protection services out there

Via: Security Affairs