The OpenSSL project underlies the majority of encryption across the internet kept quiet about the flaw and just said in October that version 3.0.7 should be installed as soon as it becomes available.
The last such release took place in 2016 and appears to be to do with the critical vulnerability found in the component since the project starting tracking such things in the wake of Heartbleed.
For those who came in late, Heartbleed is a coding flaw that could allow an attacker to repeatedly get at unecrypted data from the memory of systems using vulnerable versions of OpenSSL, and it shook the industry to its foundations when it was made public in April 2014.
Details of this new flaw are not yet known, it could yet prove to be as impactful as, or even more so, than Heartbleed,
That the OpenSSL team has given security teams advanced warning is also somewhat of an unusual step, but may be a small mercy in that they have given people time to clear the decks in advance and ensure they won’t be blindsided by it.
Paul Baird, chief technical security officer at Qualys, said that OpenSSL defines a critical update as one that affects common configurations and are likely to be exploitable in such a way that they allow for significant disclosure of the contents of server memory and reveal user details; can be easily exploited remotely to compromise server private keys; or which could likely lead to remote code execution (RCE).
“This is therefore going to be an issue that everyone will have to patch pretty much immediately on release of the updated versions of OpenSSL. From a planning and prioritisation point of view, this will be what many security professionals spend their time on next week,” said Baird.
“Best practices here would be to know all your OpenSSL implementations, what versions they are at, and prioritise your update plans accordingly. With something like this, being forewarned is forearmed, as I would expect there to be a lot of interest in the details of any issue and any proof of concept code releases, both from security professionals and from bad actors.”
What is known is that the incoming vulnerability only affects 3.0.x versions of OpenSSL, which means anybody still running 1.1.1 versions ought to be safe, and will enable security teams to dismiss some sections of their infrastructure right away. This may mitigate the impact a little.