"Incoming OpenSSL Critical Fix: Organizations, Users, Get Ready!"

The OpenSSL Project team has announced that on November 1, 2022, OpenSSL version 3.0.7 will be released, which will address a critical vulnerability in the popular open-source cryptographic library (but does not affect OpenSSL versions before 3.0). Critical vulnerabilities in OpenSSL, according to the team's risk classification, are those that affect common configurations and are likely to be exploitable. They cite significant disclosure of server memory contents (potentially revealing user details), vulnerabilities that can be easily exploited remotely to compromise server private keys, and situations in which remote code execution is considered likely. The OpenSSL library is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) cryptographic protocols, which allow for secure network communication. When the critical Heartbleed bug was fixed in 2014, it became clear how much the security of computer systems, the Internet as a whole, and users is dependent on the "good health" of this software library. OpenSSL is included in many operating systems, client-side software, web and email server software, network appliances, industrial control systems, and more. With this in mind, the OpenSSL team usually announces security fixes via its website and mailing list, but it also notifies organizations that produce a general-purpose operating system that uses OpenSSL, maintainers of popular open-source projects that are derived from OpenSSL, and organizations with which the project has a commercial relationship directly. They share vulnerability information and patches in advance with them. This article continues to discuss the release of OpenSSL version 3.0.7 to fix a critical vulnerability in the popular open-source cryptographic library.

Help Net Security reports "Incoming OpenSSL Critical Fix: Organizations, Users, Get Ready!"