Preliminary Information Released for OpenSSL Vulnerability

The developers of the OpenSSL library, which has implemented HTTPS secure networking in numerous applications, have stated that a critical security vulnerability will be fixed in version 3.0.7, released on November 1, 2022 (Reference Link). However, the project developers made public announcements that did not include all details of the vulnerability, as more information was kept confidential until the update for the identified vulnerability was released.

It has been announced that the critical security vulnerability detected is affected by the versions between OpenSSL 3.0 and version 3.0.6, released on September 7, 2021. Therefore the affected versions were not widely known until OpenSSL 1.x, which has been available for 12 years.

OpenSSL security vulnerabilities have a widespread impact. The HeartBleed vulnerability, discovered in April 2014, has been observed on Apache and Nginx web servers, which have a usage rate of over 66% among all active websites on the internet. However, it is unknown whether the detected and declared critical vulnerability would lead to a mass exploit like HeartBleed.

In this context, to limit the risk of being affected by the relevant security vulnerability as much as possible; Until the release of the measures by OpenSSL developers, it is recommended to master the “Software Supply Chain” processes to determine which applications the old version OpenSSL libraries are running, and to make preliminary preparations.