- OpenSSL is fixing the second-ever vulnerability in its history with an update that will be released on 1st November 2022.
- The OpenSSL Project announced that it is a critical vulnerability, which means it is likely to be exploitable by third parties.
- According to OpenSSL’s security policy, critical vulnerabilities can cause disclosure of the contents of server memory, potentially revealing user details.
The OpenSSL Project is releasing an update to patch its second critical flaw ever. It is the first critical vulnerability affecting the OpenSSL toolkit since 2014. The flaw which impacts versions 3.0 and newer will be addressed with the new update, which will be released on 1st November 2022.
OpenSSL version 3.0.7
The OpenSSL Project officially announced the update as a security-fix release and the vulnerability which will be addressed is referred to as critical. The announcement says,
« The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 3.0.7. This release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC. OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is critical. »
The details of the flaw are still unknown but developers and organizations are urged to apply the patch as soon as possible. According to the OpenSSL Security Policy, a critical vulnerability means:
« This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. »