Security Experts:

OpenSSL to Patch First Critical Vulnerability Since 2016

OpenSSL critical vulnerability

The OpenSSL Project has informed users that an upcoming update will patch a critical vulnerability in the open source cryptography and secure communication toolkit.

OpenSSL version 3.0.7 is scheduled for Tuesday, November 1, between 13:00 and 17:00 UTC. No details have been provided, but it has been described as a ‘security-fix release’ that will include a patch for a vulnerability rated ‘critical’.

The issue does not appear to impact OpenSSL versions prior to 3.0.

This is the first critical vulnerability patched in OpenSSL since September 2016, and only the second flaw to be officially assigned a ‘critical’ severity rating.

[ READ: Evolution of OpenSSL Security After Heartbleed ]

In addition to the 3.0.7 release, the OpenSSL Project is also preparing version 1.1.1s, which is a bug fix release scheduled for the same day.

The OpenSSL Project started assigning severity ratings to vulnerabilities in 2014, when the notorious Heartbleed vulnerability came to light. Since the disclosure of Heartbleed, OpenSSL security has evolved significantly.

Roughly a dozen high-severity issues were discovered between 2014 and 2017. Then, no other high-severity vulnerabilities were identified until 2020, when two bugs were assigned this rating. Three high-severity issues were found in 2021 and two in 2022.

Related: Three New Vulnerabilities Patched in OpenSSL

Related: OpenSSL Vulnerability Can Be Exploited to Change Application Data

Related: High-Severity DoS Vulnerability Patched in OpenSSL

Related: OpenSSL Patches Remote Code Execution Vulnerability

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.