On Tuesday 1st of November, between 1-5pm UTC a new version of the widely adopted OpenSSL 3.x series will be released for general consumption. The OpenSSL project announced this in their mailing list and through twitter, also revealing the existence of a new CRITICAL security vulnerability this patch fixes.
OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC. Does not affect versions before 3.0. https://t.co/jIRQhx0nCr
— Mark J Cox (@iamamoose) October 25, 2022
In a twist to the usual formula the project is giving the world a week's advance notice of the impending patching, and we all should indeed take note of it and be prepared. OpenSSL is widely considered to be a part of the critical infrastructure of the internet - among other things generating the certificates that allow websites to run over HTTPS.
At the time of writing, it also appears that only OpenSSL versions between 3.0-> 3.0.6 are affected, and this critical security vulnerability is fixed in the upcoming 3.0.7. OpenSSL 3 is widely adopted, but current surveys indicate that it's still far outweighed by 1.x distribution that is mostly out of LTS today - and completely after September 2023.
However, there are 62 wrapper packages distributed by the world's largest Java Open Source ecosystem - Maven Central that repackage OpenSSL. It is more often included to a project transitively or required from the system by a piece of software. Indeed, any application that provides a web server, or uses a web server, could run on a server software that relies on an outdated version.
Historically, OpenSSL vulnerabilities have had a widespread impact - who could forget the infamous Heartbleed vulnerability that affected it. Heartbleed started the trend for naming security vulnerabilities and is widely credited to have started the mass movement towards security vulnerability awareness in the general public.
We at Sonatype are taking the opportunity to raise awareness of this upcoming important patch that will affect a vast majority of the infrastructure of the internet, and websites that power it. Although the amount of code affected today might only touch a few packages, critical vulnerabilities like this never come alone. Often similar flaws are discovered subsequently - either inspired by the original issue or using a similar methodology. Running a proactive inventory of the versions of OpenSSL you have installed and identifying any systems running on 3.x will speed up your patching efforts.
Just like the Text4shell vulnerability last week, security vulnerabilities occur constantly in the world of open source - and the burden of action lies squarely on adopters of it to react swiftly. According to the research we published in our recent State of The Software Supply Chain report, we as an industry are not very good at adopting the fixes with over 62% of vulnerable downloads being avoidable. The best defense is to be aware of the most critical issues, and to have automated coverage of your open source estate to help you identify and react to issues when they arise.
