News item |: 31-10-2022 |: 16:18
A critical vulnerability has been discovered in OpenSSL 3.0. The OpenSSL development team has announced that they will release version 3.0.7 on Tuesday, November 1, 2022. This new version fixes the vulnerability. It’s vulnerability no available in versions below 3.0. So versions 1.1.1 and 1.0.2 are not affected by this issue.
OpenSSL is one of the most popular software components for encrypting network connections. NCSC recommends identifying which software in your organization uses OpenSSL. Prepare your organization to patch the relevant software immediately as soon as updates are available.
To assist organizations in mapping vulnerable systems, NCSC has created a Github page that maintains an overview of products that use OpenSSL. Where possible, it is mentioned which products use a vulnerable version. NCSC will be actively monitoring this Github page in the near future.
There is no additional information about the vulnerability at this time. NCSC does not know if the problem exists in one or more versions of 3.0, and if abuse has already occurred. NCSC will issue a security advisory as soon as a patch or relevant information becomes available.