OpenSSL to release security patch for a ‘critical’ flaw

1 Nov 2022

Image: © DC Studio/Stock.adobe.com

Organisations using OpenSSL version 3.0 or later are advised to update systems as soon as the patch is available.

OpenSSL, the widely-used open-source encryption library, is expected to get a patch today (1 November) for a critical vulnerability.

Without revealing too many details, the OpenSSL Project – which develops and maintains the library – said it is issuing its second-ever “critical” security patch. OpenSSL 3.07, a security-fix release, is set to be made available this afternoon.

All organisations that use OpenSSL 3.0 (released last September) or later should update to avoid hackers exploiting the flaw and causing damage to systems.

“We are now in the calm before the storm,” said Oliver Pinson-Roxburgh, CEO of cybersecurity platform Defense.com. “Memories will still be fresh amongst security teams of the damage from the Heartbleed SSL vulnerability a few years ago.

“Businesses need to be on alert, but we do not know if we face a vulnerability of that scale yet. For now, the key to staying ahead of the hackers is preparation.”

OpenSSL is a software library for general purpose cryptography and secure communication, and is fundamental to a lot of web security. It is widely used on HTTPS websites and web servers.

Ahead of the patch today, cybersecurity company Orca Security scanned cloud platforms and found that around 59pc of organisations are running at least one server with an affected package of OpenSSL 3.0 or later.

More than half of these assets are internet-facing and 58pc contain personally identifiable information, Orca found.

“My advice to organisations is to first make sure that every asset with OpenSSL version 3.0 to 3.6 in your environment is identified,” said Orca Security CEO Avi Shua.

“The next step is to determine which of these assets are exposed, and/or could create an attack path to your most critical assets. Teams should then be ready to immediately apply the fix to these prioritised assets when the patch is released, followed by updating all remaining vulnerable assets.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain was a journalist with Silicon Republic

editorial@siliconrepublic.com