OpenSSL contained a flaw that might allow an attacker to read memory contents or cause a denial of service.

The vulnerability was fixed in OpenSSL version 3.0.8, affected since 3.0.0, which also addressed several other flaws.

As always, all users are urged to update to the latest stable version, especially version 3.0.8, for this case, for maximum safety.

OpenSSL is a software library for applications that need to identify the other party or offer secure communications across computer networks against monitoring. It is commonly utilized by internet servers, as well as the vast majority of HTTPS websites.

The vulnerability gets addressed

OpenSSL had a vulnerability that had a chance to allow an attacker to read memory contents or enact a denial of service. While it does not seem to have a CVSS rating yet, this vulnerability could let hackers launch malicious attacks. This “X.400 address type confusion” vulnerability is tracked as CVE-2023-0286 and now has an update to fix it.

The OpenSSL team made an explanation about the vulnerability:

« In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. »

Now, this issue has been fixed in the following versions with the latest updates:

Fixed in OpenSSL 3.0.8 (Affected since 3.0.0).

Fixed in OpenSSL 1.1.1t (Affected since 1.1.1).

Fixed in OpenSSL 1.0.2zg (Affected since 1.0.2).

The latest stable version is the 3.0 series, supported until 7th September 2026. This is also a Long Term Support (LTS) version. The issue has been patched in OpenSSL version 3.0.8, which also addressed multiple other vulnerabilities.

All users are advised to update to the latest stable version for maximum safety.