[German]A small advance notice for users of OpenSSL – there seems to be a vulnerability in the implementation of this software. Now the team of OpenSLL developers has announced that they will release an update to version 3.0.7 on November 1, 2022. Now there is speculation that this will include the fix for an OpenSLL vulnerability and how critical it will be.
Advertising
What is OpenSSL?
OpenSSL is a widely used code library that enables secure communication over the Internet. OpenSSL includes implementations of the network protocols and various ciphers, as well as the openssl program for the command line to request, generate and manage certificates (see). Anyone surfing the Internet, visiting a website or accessing an online service uses OpenSSL.
OpenSSL 3.0.7 announced
I've received the notice from several quarters, both from Check Point security experts and on Twitter, as well as from blog reader Timo W. (thanks for that). Timo wrote:
Hi Günter,
the following might be worth a mention in your blog.
On 01.11 a fix for a rather critical OpenSSL vulnerability is supposed to be released. (3.0.7)
This probably affects all OpenSSL versions 3 and higher. Patching is strongly recommended in a timely manner.
The OpenSLL team's announcement talks about a security fix without disclosing details. The update is scheduled to be released on Tuesday, November 1, 2022.
How critical will it bee?
And now it gets exciting. The developers write that OpenSSL 3.0.7 includes fixes for a vulnerability marked with the highest severity Critical. To that end, the folks at Check Point write:
In an official statement last Tuesday, the OpenSSL project team announced the upcoming release of the next version, which will be released on Tuesday, November 1. This version 3.0.7 is expected to include a fix for a critical vulnerability. While exact details of the vulnerability are unknown at this time, we urge organizations to follow the release closely, patch their systems, and keep all protections up to date until more details are known.
However, it is interesting to note Will Dormann's tweet from October 28, 2022, which assumes that a memory flaw that is virtually impossible to exploit, such as Heartbleed, is likely to be patched.
Advertising
The question is then how critical and wide spread the security problem is. Let's wait and see whether all sorts of operating system and software updates are suddenly due on November 1, 2022. Because as an end user, there is little you can do anyway – the OpenSSL library is in products. So everybody has to wait fro a patch.
When I then see how bad the patch status is – especially for IoT devices or Android smartphones – it becomes clear what a razor's edge the entire industry is riding. It is an absurdity when billions of devices are turned into electronic scrap due to a lack of patches. Basically, the manufacturers should be obligated to provide patches for the lifetime of the devices (for reasons of sustainability alone).
