The developers of the OpenSSL project have informed users that the upcoming version 3.0.7 will close a recently discovered critical vulnerability. This is only the second critical bug in OpenSSL in recent years.
The release of OpenSSL version 3.0.7 is scheduled for Tuesday, November 1, 2022. No details about this release have been published yet: it is described as a “security release” that will include a patch for some bug that is rated as “critical”.
Let me remind you that we also talked about the iOS VPN Bug Prevents Encryption of Traffic for Years, Researchers Say.
It is also reported that the latest issue does not affect OpenSSL 3.0 and older versions.
In addition to the release of version 3.0.7, the OpenSSL developers are also preparing version 1.1.1s. Its release is scheduled for the same day and will include patches for various bugs.
It is noteworthy that this will be the first critical vulnerability fixed in OpenSSL since September 2016, and only the second critical vulnerability in the history of the project.
Let me remind you that the OpenSSL project began assigning severity ratings to vulnerabilities only in 2014, after the discovery of the sensational Heartbleed problem (CVE-2014-0160).
The vulnerability was related to the lack of required bounds checking in one of the Heartbeat (RFC6520) extension procedures for the TLS/DTLS protocol. Due to a small bug, anyone could access the RAM of computers whose communications are “protected” by a vulnerable version of OpenSSL. In particular, the attacker gained access to secret keys, usernames and passwords, and all content that should be transmitted in encrypted form. At the same time, there were no traces of penetration into the system. Information security experts suggest something similar this time.
Since 2014 and 2017, more than a dozen high-severity issues have been identified. After that, for several years, security experts did not find a single vulnerability with a high degree of severity, and this status was assigned to only two errors in 2020. Three more high-severity issues were discovered in 2021, and two more in 2022.