On Oct 25, 2022, The OpenSSL project announced a forthcoming release of OpenSSL (version 3.0.7) to address a critical security vulnerability. This release is now live.
The last critical vulnerability in OpenSSL was released in 2016. Our security team has today added this vulnerability to the Threatrix vulnerability database.
The OpenSSL project has marked this vulnerability as critical but said it would not impact versions of OpenSSL before 3.0. You should be unaffected if you’re using a version of OpenSSL lower than 3.0.
The OpenSSL project’s security policy outlines what they consider critical vulnerabilities:
This affects common configurations which are also exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations.
If you’re using OpenSSL 3.0 or above, upgrade immediately to the upcoming 3.0.7. Follow the link to upgrade if you aren’t a Threatrix customer: openSSL.org
The vulnerable versions of OpenSSL (3.0 and above) are currently used in Linux operating systems, including Ubuntu 22.04 LTS, macOS Ventura, Fedora 36, and others. However, Linux distros like Debian only include OpenSSL 3. x in their most recent releases, which are still considered testing versions, and thus widespread use in production systems may be limited. Container images built using affected versions of Linux will also be impacted. However, it is worth noting that many popular Docker Official images use Debian Bullseye (11) and Alpine, which still use OpenSSL 1.x and are not impacted. The Docker Official container images for projects like nginx and httpd, popular for handling web traffic, also use Bullseye and Alpine and are unaffected.
Node.js 18.x and 19.x also use OpenSSL3 by default, so we anticipate upgrades coming for Node.js in the next few days.