OpenSSL prepares for revision (Opens in a new tab) Her first fatal flaw in eight years. The OpenSSL project has announced a new software update that will fix several vulnerabilities in the open source toolkit, including one that has been identified as critical.
“The OpenSSL project team would like to announce the upcoming release of OpenSSL version 3.0.7. This release will be available on Tuesday, November 1, 2022 between 1300-1700 UTC.” Read the Advertising (Opens in a new tab). “OpenSSL 3.0.7 is a security fix release. The highest fixed issue in this release is a critical issue.”
“Examples include critical disclosure of server memory contents (likely to reveal user details), vulnerabilities that can easily be exploited remotely to compromise server private keys or where remote code execution is likely in common situations,” the developers said.
Correction is coming next month
The flaw affects version 3.0 and later, and is the second critical vulnerability to be addressed by the OpenSSL project, with Heartbleed (CVE-2014-0160) being the first in 2014.
The 3.0.7 release date is now set for November 1st. The developers describe it as a “security fix release”. In parallel, there will be a bugfix release, 1.1.1s, that will be published on the same day.
Brian Fox, CTO at Sonatype, isn’t too happy with the way the OpenSSL Project has handled the issue, saying it puts developers in a dangerous position:
“All we know so far is that the issue is considered critical by the team, only a second critical OpenSSL vulnerability since they started tracking after the Heartbleed bug and its aftermath in 2014. We know this only appears to affect versions 3.0 and above, but not How widely applicable this issue is or how easy it is to exploit, and that it will be fully revealed on November 1st.”
He then proceeds to ask three hypothetical questions: If a company learns of a new vulnerability, the way the OpenSSL project just announced one, how long will it take an IT pro to find out if his company is using any version of that component, anywhere in their portfolio, And in which applications the affected versions are used, and how long before the company can remedy the problem – a sign that a potential disaster is on the horizon.
“If you are not able to immediately answer the three questions I asked above, you have six days to prepare,” he warns. “The clock is ticking.”
On the other hand, OpenSSL core team member Mark J. Cox argues that with details about the vulnerability scarce, the chances of fraudsters abusing it before it is patched are slim. Giving IT teams an alert when a patch arrives far outweighs the potential risks for fraudsters abusing the flaw, and suggests:
“Due to the number of changes in 3.0 and the lack of any other context information, [threat actors going through the commit history between versions 3.0 and the current one to find anything] Very unlikely.”
Across: security affairs (Opens in a new tab)