Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

OpenSSL to Patch First Critical Vulnerability Since 2016

OpenSSL critical vulnerability

The OpenSSL Project has informed users that an upcoming update will patch a critical vulnerability in the open source cryptography and secure communication toolkit.

OpenSSL critical vulnerability

The OpenSSL Project has informed users that an upcoming update will patch a critical vulnerability in the open source cryptography and secure communication toolkit.

OpenSSL version 3.0.7 is scheduled for Tuesday, November 1, between 13:00 and 17:00 UTC. No details have been provided, but it has been described as a ‘security-fix release’ that will include a patch for a vulnerability rated ‘critical’.

The issue does not appear to impact OpenSSL versions prior to 3.0.

This is the first critical vulnerability patched in OpenSSL since September 2016, and only the second flaw to be officially assigned a ‘critical’ severity rating.

[ READ: Evolution of OpenSSL Security After Heartbleed ]

In addition to the 3.0.7 release, the OpenSSL Project is also preparing version 1.1.1s, which is a bug fix release scheduled for the same day.

The OpenSSL Project started assigning severity ratings to vulnerabilities in 2014, when the notorious Heartbleed vulnerability came to light. Since the disclosure of Heartbleed, OpenSSL security has evolved significantly.

Roughly a dozen high-severity issues were discovered between 2014 and 2017. Then, no other high-severity vulnerabilities were identified until 2020, when two bugs were assigned this rating. Three high-severity issues were found in 2021 and two in 2022.

Advertisement. Scroll to continue reading.

Related: Three New Vulnerabilities Patched in OpenSSL

Related: OpenSSL Vulnerability Can Be Exploited to Change Application Data

Related: High-Severity DoS Vulnerability Patched in OpenSSL

Related: OpenSSL Patches Remote Code Execution Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights