On October 26, the OpenSSL Project announced the discovery of a critical vulnerability, and that a new version (version 3.0.7) will be available on November 1, 2022.
This vulnerability only affects OpenSSL versions 3.0.0 through 3.0.6.
OpenSSL defines a critical flaw as one that “affects common configurations and which is also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations.”
Organizations should prepare now by identifying which systems use OpenSSL 3.0. Those who dealt with Heartbleed in 2014 should have a better idea of where OpenSSL is in use.
ThreatX is monitoring the situation. If there are payloads that can be delivered over HTTP, we will test our current rule sets and enhance where necessary.
We will include more details here when we have them.
November 1, 2022 update: OpenSSL has released version 3.0.7, which addresses two high-severity vulnerabilities. These vulnerabilities are high severity, not critical, as originally reported. However, Open SSL “still considers these issues to be serious vulnerabilities” and encourages affected users to upgrade to 3.0.7 as soon as possible.
As of now, OpenSSL has no evidence of these vulnerabilities being exploited in the wild.