A fix for a critical issue in OpenSSL is on the way, announced in advance of its release on November 1, 2022, in a four hour window between 13:00 UTC and 17:00 UTC. The release, version 3.0.7, will address a critical vulnerability for all versions of the software starting with a 3. Versions starting with a 1 are unaffected. A separate release for that branch of the software, version 1.1.1, is scheduled for the same day but it is a bug fix and is not related to this issue.
This advance notice is designed to give a little time for organisations and individuals to get themselves ready for the upcoming critical update:
That's our policy https://t.co/pNLA4Ce4yV to provide folks with a date they know to be ready to parse an advisory and see if the issue affects them. Given the number of changes in 3.0 and the lack of any other context information, such scouring is very highly unlikely.— Mark J Cox (@iamamoose) October 26, 2022
This release has attracted a lot of attention because this is only the second time the OpenSSL team has marked an issue CRITICAL since it introduced its issue severity criteria in 2014.
OpenSSL only labels vulnerabilities as critical if they meet the following criteria:
This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.
The OpenSSL project describes its software as a "full-featured toolkit for general-purpose cryptography and secure communication"—a sort of cryptographic Swiss army knife. It is extremely widely used, either as a standalone application or embedded in other applications. Linux, FreeBSD, and macOS all come with some version of it, and it can be installed on Windows.
Version 3.0.0 was released just over a year ago, in September 2021. Version 1 remains much more widely used, but version 3 is used by a number of popular Linux distributions, including CentOS Stream 9, Red Hat Enterprise Linux 9 (RHEL 9), Ubuntu 22.10, Ubuntu 22.04 LTS, and Fedora Rawhide.
The Fedora Linux 37 release may be held up to include fixes for the vulnerability, and other responsible vendors are likely to move quickly to included updated versions in their software.
Heads up: we are very likely to slip the official Fedora Linux 37 release in order to integrate fixes for the upcoming critical openssl vulnerability. Official decision on this tomorrow.— Matthew Miller (@mattdm) October 26, 2022
If you have access to a command line, you discover what version you are using by punching in:
If you have OpenSSL installed, it will return the version number and release date. If your version number starts with a 3, this critical issue affects you. In addition to this check, you may need to dig around for non-standard installations, and you may be running software or appliances that include OpenSSL too. Keep an eye out for communications from your software suppliers, particularly those that supply Internet-facing software or hardware.
The only other OpenSSL issue with a CRITICAL rating was CVE-2016-6309 in 2016. The biggest OpenSSL issue of all though was Heartbleed, which predates OpenSSL's severity criteria. Heartbleed allowed remote attackers to expose sensitive data and continued to cause problems years after the event. It exposed the Internet's dependence on small and unfashionable projects run by volunteers, and spawned forks like LibreSSL and BoringSSL that attempted to clean up OpenSSL's complex codebase.
We will update this post as additional important information comes to light.
Update 2022-10-30, Crowdsourced vendor list
Pierre-Olivier Blu-Mocaer has created a crowdsourced list of software using OpenSSL version 3, on GitHub.