OpenSSL 3.0.7 Will Address Critical Flaw
OpenSSL plans to release an update next week to address a critical vulnerability in the cryptographic library. The flaw affects OpenSSL versions 3.0.0 through 3.0.6. OpenSSL will release version 3.0.7 on Tuesday, November 1. The last time OpenSSL was faced with a critical vulnerability was the Heartbleed vulnerability, which was disclosed in 2014.
While people are working on performing the diffing of patches to try and understand the impact, OpenSSL 3.0 may not be as widely deployed as the version with Heartbleed. It’s a wait-to-see scenario. A core library like this may still impact many systems. Hopefully, with the advent of SBOM (software bill of material) products, companies can quickly find and attempt to patch these libraries quickly.
The notice from OpenSSL doesn’t disclose the exact vulnerability, only categorizing it as critical, which means it affects common configurations and is likely to be exploitable. OpenSSL policy is to keep the specific issues private and trigger a new release. Given the prevalence of OpenSSL it makes sense to be careful disclosing the exact issue as there could be an enormous attack surface. What you can do is make sure that you update your OpenSSL installs, and applications with embedded OpenSSL, judiciously after the update is released. Review your software inventory and make a prioritized list, much like you did for Log4J.