Threatrix Blog

Enterprise open source security & compliance


New OpenSSL critical vulnerability Update

On Oct 25, 2022, The OpenSSL project announced a forthcoming release of OpenSSL (version 3.0.7) to address a critical security vulnerability. This release is now live.

The last critical vulnerability in OpenSSL was released in 2016. Our security team has today added this vulnerability to the Threatrix vulnerability database.

Vulnerability Details

The OpenSSL project has marked this vulnerability as critical but said it would not impact versions of OpenSSL before 3.0. You should be unaffected if you’re using a version of OpenSSL lower than 3.0.

The OpenSSL project’s security policy outlines what they consider critical vulnerabilities:

This affects common configurations which are also exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations.

If you’re using OpenSSL 3.0 or above, upgrade immediately to the upcoming 3.0.7. Follow the link to upgrade if you aren’t a Threatrix customer:

The vulnerable versions of OpenSSL (3.0 and above) are currently used in Linux operating systems, including Ubuntu 22.04 LTS, macOS Ventura, Fedora 36, and others. However, Linux distros like Debian only include OpenSSL 3. x in their most recent releases, which are still considered testing versions, and thus widespread use in production systems may be limited. Container images built using affected versions of Linux will also be impacted. However, it is worth noting that many popular Docker Official images use Debian Bullseye (11) and Alpine, which still use OpenSSL 1.x and are not impacted. The Docker Official container images for projects like nginx and httpd, popular for handling web traffic, also use Bullseye and Alpine and are unaffected.

Node.js 18.x and 19.x also use OpenSSL3 by default, so we anticipate upgrades coming for Node.js in the next few days.

Kristen Bianchi

Leave a Reply

Your email address will not be published. Required fields are marked *


The Solution to Outdated Open Source Components and the Accumulation of Technical Debt

As the ecosystem of open source software continues to expand, it brings opportunities and threats that can pose significant challenges to corporate security infrastructure. One such threat that often gets overshadowed is the technical debt that accumulates from using outdated open source components in software development. Outdated components are a common, invisible menace.

AI in Code Generation: Exploring Capabilities and Confronting Open Source Licensing Challenges

Today, technology continues to change at an astonishing pace, becoming an increasingly influential player in nearly all aspects of our lives. From machine learning to neural networks, Artificial Intelligence (AI) is undoubtedly at the heart of this tech revolution, especially in the realm of software development.