OpenSSL is patching just its second critical security flaw ever
>
OpenSSL prepares for patch (opens in new tab) his first critical error in eight years. The OpenSSL project has announced a new software update that aims to fix several vulnerabilities in the open source toolkit, including a bug defined as critical.
“The OpenSSL project team would like to announce the upcoming release of OpenSSL version 3.0.7. This release will be made available on Tuesday, November 1, 2022 between 1300-1700 UTC.” reads the Announcement (opens in new tab). “OpenSSL 3.0.7 is a security fixes release. The highest severity issue resolved in this release is CRITICAL.”
“Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities that can be easily exploited remotely to compromise the server’s private keys, or where remote code execution in common situations such as considered likely,” the developers said.
Patch coming next month
The flaw affects version 3.0 and newer and is the second critical vulnerability ever addressed by the OpenSSL project, with Heartbleed (CVE-2014-0160) being the first in 2014.
The release date for the 3.0.7 version is now set for November 1. The developers describe it as a “security fix release”. At the same time, a bug fix release, 1.1.1s, will be published on the same day.
Sonatype’s CTO, Brian Fox, doesn’t seem too happy with the way OpenSSL Project handled the problem, saying it put developers in a dangerous position:
“All we know so far is that the issue is considered critical by the team, only the second critical vulnerability in OpenSSL since they started tracking the Heartbleed bug and fallout in 2014. We know that this only seems to affect versions 3.0 and above, but not how broadly applicable or how easily this issue can be exploited, and that it will be fully disclosed on November 1st.”
He then asks three hypothetical questions: If a company discovers a new vulnerability, such as the one OpenSSL Project just announced, how long would it take for an IT professional to find out if their company uses any version of this component anywhere? in its portfolio, which applications it uses the affected versions in, and how long it will take for the company to fix the problem — suggesting a potential disaster is on the horizon.
“If you can’t answer the three questions I asked above right away, you have six days to prepare,” he warns. “The clock is ticking.”
On the other hand, OpenSSL core team member Mark J. Cox argues that since details about the vulnerability are so sparse, the chances of crooks exploiting it before it’s patched is slim. Giving IT teams a warning when the patch arrives far outweighs the potential risks of scammers exploiting the flaw, he suggests:
“Given the number of changes in 3.0 and the lack of other context information, [threat actors going through the commit history between versions 3.0 and the current one to find anything] very unlikely,” he tweeted.
Through: Security matters (opens in new tab)