OpenSSL is patching just its second critical security flaw ever

News
By Sead Fadilpašić
published

Patch is coming imminently, with OpenSSL teams told to update immediately

digital data lock on screen
(Image credit: Shutterstock)

OpenSSL is preparing to patch its first critical flaw in eight years. The OpenSSL Project have announced a new software update that should fix several vulnerabilities in the open-source toolkit, including one flaw defined as critical. 

“The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 3.0.7. This release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC.” reads the announcement. “OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL.”

“Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations,” the developers said.

Patch coming next month

The flaw impacts versions 3.0 and newer, and is the second critical vulnerability to ever be addressed by the OpenSSL Project, with Heartbleed (CVE-2014-0160) being the first one in 2014. 

The release date for the 3.0.7 version is now set for November 1. The developers describe it as a “security-fix release”. In parallel, there will be a bug-fix release, 1.1.1s, published on the same day. 

Announcing the existence of a serious flaw, a week before issuing a patch, could motivate cybercriminals to look for weaknesses in places they'd otherwise not look. But industry experts believe the benefits of such an announcement sometimes outweigh the risks. 

CTO of Sonatype, Brian Fox, for example, commented:

“The speculation assumes that the fix is available in the publicly visible source and the advance notice gives attackers time to find it. This assumption may not be true, it is a best practice at some times to embargo the actual change until after the announcement for this exact reason. The team at OpenSSL consists of some of the foremost experts in handling high-profile open source vulnerability disclosures and if they have determined this is the best course of action -- to give advance notice -- then I have faith in that decision.”

Read more

> Serious OpenSSL vulnerability puts Intel-powered systems at risk

> QNAP says it is working on patches for OpenSSL bugs impacting its NAS devices

> Here's the best encryption software right now

OpenSSL core team member, Mark J. Cox, doubled down on this argument, saying that with details about the vulnerability being so scarce, the chances of crooks abusing it before it’s patched are slim. Giving IT teams a heads up as the patch arrives far outweighs the potential risks of crooks abusing the flaw, he suggests:

“Given the number of changes in 3.0 and the lack of any other context information, [threat actors going through the commit history between versions 3.0 and the current one to find anything] is very highly unlikely,” he tweeted. 

Via: Security Affairs

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.