It all depends on OpenSSL. If you don't know, OpenSSL is the application that makes it possible to use the TLS security protocol (from Transport Layer Security) on Linux, Unix, Windows and many other operating systems.
It is also the app used to lock almost every secure communication and networking app and of course every device out there.
So when Mark Cox, a distinguished software engineer at Red Hat and the VP of Security at the Apache Software Foundation (ASF), tweeted this week: “OpenSSL update 3.0.7 will fix Critical CVE next Tuesday 1300-1700UTC ”, we should all be worried.
OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC. Does not affect versions before 3.0. https://t.co/jIRQhx0nCr
— Mark J Cox (@iamamoose) October 25, 2022
Table of Contents
How critical is “Critical”?
According to OpenSSL, a critical severity issue affects common configurations and is also likely to be exploited by malicious users. It can be used to abuse and expose a server's memory contents and potentially expose user information. It could be remotely exploited to compromise the server's private keys or execute code remotely. In other words, pretty much anything you don't want to happen to your systems.
The story
The last time OpenSSL had a critical security flaw like this was in 2016. This vulnerability could be used to crash and take over systems. Years after its discovery, security firm Check Point estimated that it affected over 42% of organizations.
The current security gap could be worse.
We can only hope it won't be as bad as OpenSSL's all-time champion security flaw, the heartbleed of 2014.
the good news
But there is also something encouraging. The new security vulnerability only affects OpenSSL versions 3.0.0 through 3.0.6. So older operating systems and devices are likely to have no problems.
For example, Red Hat Enterprise Linux (RHEL) 8.x and earlier versions and Ubuntu 20.04 will have no problem.
But RHEL 9.x and Ubuntu 22.04 use OpenSSL 3.x.
If you're using OpenSSL 3.x anywhere get ready to update on Tuesday. This is a dangerous security gap and exploits will soon follow.