Team82 Logo Claroty
Return to Team82 Research

OpenSSL Expected to Patch Critical Vulnerability in v3.0

/ / 2 min read

The OpenSSL Project tomorrow is scheduled to release version 3.0.7 of the popular open source encryption library that patches a critical vulnerability, the first disclosed and addressed by OpenSSL in six years. 

The project's maintainers have not provided any substantial details as of yet on the vulnerability.

OpenSSL is everywhere within IT, operational technology, and connected embedded systems. Commercial and homegrown software projects include OpenSSL as their cryptographic key solution. 

The affected version—3.0—was released in 2021 and is less likely to be deployed in OT environments and within critical infrastructure given their slower update cycles.

The last critical vulnerability publicly disclosed and patched by OpenSSL was in September 2016 when an emergency security update addressed a flaw introduced by an earlier update. The patch in question introduced a dangling pointer vulnerability that could lead to server crashes or remote code execution. 

2014’s Heartbleed vulnerability is one of the biggest internet-wide bugs of the 21st century. Heartbleed leaked memory to any client or server that was connected, and that exposed servers to attack. It also kicked off a major patching frenzy at the time as administrators scrambled to understand where OpenSSL was deployed within their infrastructure, and whether it could be updated before exploits were made public. 

It also caused OpenSSL’s handlers and the maintainers of other ubiquitous open source projects to scrutinize the security of their code and how users are impacted. Therefore, it’s critical for organizations to get ahead of this potential patching effort. The SANS Institute today published a blog recommending that in many cases, the OpenSSL command utility below would reveal whether OpenSSL 3.0 is in use. 

% openssl version

SANS Institute also published a list of affected Linux distributions, which is relatively few. MacOS users are not affected because the OS users LibreSSL by default. Other software, however, may later have installed OpenSSL, according to SANS.

The National Cyber Security Centrum (NCSC-NL) is also maintaining a list of software affected by the vulnerability that users are urged to monitor.

Users should expect OpenSSL to release its update between 1 p.m. and 5 p.m. UTC.


Stay in the know Get the Team82 Newsletter
Recent Vulnerability Disclosures
Claroty
LinkedIn Twitter YouTube Facebook