OpenSSL Vulnerability

PUBLISHED ON October 31, 2022
LAST UPDATED Oct 31, 2022

On October 26, the OpenSSL Project announced the discovery of a critical vulnerability, and that a new version (version 3.0.7) will be available on November 1, 2022. 

This vulnerability only affects OpenSSL versions 3.0.0 through 3.0.6.  

OpenSSL defines a critical flaw as one that “affects common configurations and which is also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations.” 

Organizations should prepare now by identifying which systems use OpenSSL 3.0. Those who dealt with Heartbleed in 2014 should have a better idea of where OpenSSL is in use. 

ThreatX is monitoring the situation. If there are payloads that can be delivered over HTTP, we will test our current rule sets and enhance where necessary. 

We will include more details here when we have them. 

November 1, 2022 update: OpenSSL has released version 3.0.7, which addresses two high-severity vulnerabilities. These vulnerabilities are high severity, not critical, as originally reported. However, Open SSL “still considers these issues to be serious vulnerabilities” and encourages affected users to upgrade to 3.0.7 as soon as possible.

As of now, OpenSSL has no evidence of these vulnerabilities being exploited in the wild.

About the Author

Neil Weitzel

Neil is the Manager of the ThreatX Security Operations Center and is located in Boston, MA. He has 15 years of experience working in various roles, from user support to leading security programs. Neil has profound experience in security architecture and cybersecurity best practices, which helps him provide valuable insight to security teams. Before ThreatX, Neil worked with organizations such as Cognizant as an Application Security Architect, Cigital (now Synopsys) as their Practice Director of Vulnerability Assessments, and EIQ Networks (now Cygilant) as their Director of Security Research. Neil also served as a Cybersecurity Instructor and delivered numerous Security and Defensive Programming courses to various clients such as NASA and PayPal. He is an active member of the security community and has delivered lectures at DEF CON, OWASP and local security meetups. Neil also acts as an adjunct lecturer on Software Engineering at his alma mater, Indiana University.