Tuesday, October 25, 2022, the OpenSSL project team announced that OpenSSL version 3.0.7 will be released on Tuesday, November 1. The release will include a fix for a critical, security-related vulnerability in OpenSSL versions 3.0 forward. This vulnerability may have existed since September of last year.

Vulnerabilities in popular libraries like OpenSSL are sometimes referred to as "long-tail" bugs. That’s because we often have to wait on third parties to patch their own products. Discovery is a longer project in situations like this because libraries like OpenSSL are often embedded at multiple points in various software supply chains.

Details are not yet available on the vulnerability (we’ll update them here when they are), though the OpenSSL team security policy indicates that critical severity issues generally affect common configurations which are also likely to be exploitable. We are expecting patches to be released on Tuesday, November 1.

What to do now about the OpenSSL vulnerability

There are three things I consider when dealing with a new vulnerability: severity, exploitability, and exposure. In this case, we know the severity is critical. We likely won't know how practical it is for an actor to exploit until more information is released on November 1. So the immediate task is to determine your exposure, in terms of where it is, how accessible it is, how critical it is, and how quickly patches can be applied once available.

To do that, we strongly recommend verifying OpenSSL versions across your environment to determine if you are affected. This is where Automox's simplified patching solution can be a critical win for your security and IT teams. Use your team’s time to discover vulnerable software in your environment and then let your patching solution take it from there.

Once a patch is available, the ability to automatically push it out and track compliance allows your team to focus on the analytics while letting the machines quickly accomplish the mundane final steps.

How to find out if you’re exposed to the OpenSSL vulnerability

If you’re an Automox user, simply search your Software Inventory for “OpenSSL” and review the versions present.

And again, if you have any version of OpenSSL version 3.0 and forward, you'll need to be ready to upgrade to 3.0.7 as vendor patches are released.