OpenSSL, Used by Majority of HTTPS Websites, Pre-Announces Critical Vulnerability Patch

OpenSSL, the open-source cryptography library widely used across the internet by servers and websites, has pre-announced an upcoming critically rated vulnerability patch to be released on Nov. 1, 2022.

What’s going on?

We don’t have a lot of specific details on the OpenSSL vulnerability as of writing, but what we do know is that it affects OpenSSL version 3.0 or higher.

According to OpenSSL, a critical severity means the vulnerability, “affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations.”

Because OpenSSL is used broadly, the vulnerability could potentially have far-reaching impacts and see extensive exploitation by threat actors.

What is OpenSSL?

Encryption has become one of the most important tools for securing data, and SSL certificates are practically mandatory for any HTTPS (Hypertext Transfer Protocol Secure) website.

OpenSSL is a software library for applications that secure communications over networks, providing open-source application of the TLS (Transport Layer Security) and SSL (Secure Sockets Layer) protocol.

What is Nuspire doing?

Nuspire is not utilizing an affected version of OpenSSL.

What should I do?

We recommend organizations use this time prior to the release of the patch to inventory their technologies to determine if any are using OpenSSL version 3.0+. Once the patch, titled OpenSSL 3.0.7, is released on Nov. 1, organizations should immediately install it on all affected technologies.

Have you registered for our next event?