Critical vulnerability discovered in OpenSSL Version 3
A critical vulnerability was discovered in OpenSSL Version 3 on November 1st. Although the details of the vulnerability are not yet clear, because OpenSSL is used by a huge number of applications, devices, and operating systems, the fallout of the vulnerability can be severe.
The critical vulnerability, specific to OpenSSL Version 3, was discovered on the 1st of November, 2022. The discovery was followed by a mass warning-email campaign to app, website, operating system, and other web-service providers.
The nature or the impact of the vulnerability remains unclear and will only be made public after the release of the patch and a thorough investigation. However, given how many online services use OpenSSL, the impact of the vulnerability can range from minor, to extremely severe.
Cybersecurity experts speculate, that, depending on the nature of the vulnerability, it can be exploited to hijack servers that are using port 443, as well as, potentially, other ports and protocols. And if the vulnerability lies in client-side code, it can also be used to take control over browsers. The latter is, however, highly unlikely.
The good news is that due to OpenSSL being relatively new (only released in September 2021), few systems actually run it. This assumption, however, does not include devices and the actual number of vulnerable systems remains unclear.
OpenSSL is currently rolling out a patch known as OpenSSL 3.0.7, which should become mass-available throughout the day. The certificate provider recommends installing the fix as soon as possible.
Leave a Reply