Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

OpenSSL to Patch First Critical Vulnerability Since 2016

OpenSSL critical vulnerability

The OpenSSL Project has informed users that an upcoming update will patch a critical vulnerability in the open source cryptography and secure communication toolkit.

OpenSSL critical vulnerability

The OpenSSL Project has informed users that an upcoming update will patch a critical vulnerability in the open source cryptography and secure communication toolkit.

OpenSSL version 3.0.7 is scheduled for Tuesday, November 1, between 13:00 and 17:00 UTC. No details have been provided, but it has been described as a ‘security-fix release’ that will include a patch for a vulnerability rated ‘critical’.

The issue does not appear to impact OpenSSL versions prior to 3.0.

This is the first critical vulnerability patched in OpenSSL since September 2016, and only the second flaw to be officially assigned a ‘critical’ severity rating.

[ READ: Evolution of OpenSSL Security After Heartbleed ]

In addition to the 3.0.7 release, the OpenSSL Project is also preparing version 1.1.1s, which is a bug fix release scheduled for the same day.

The OpenSSL Project started assigning severity ratings to vulnerabilities in 2014, when the notorious Heartbleed vulnerability came to light. Since the disclosure of Heartbleed, OpenSSL security has evolved significantly.

Roughly a dozen high-severity issues were discovered between 2014 and 2017. Then, no other high-severity vulnerabilities were identified until 2020, when two bugs were assigned this rating. Three high-severity issues were found in 2021 and two in 2022.

Advertisement. Scroll to continue reading.

Related: Three New Vulnerabilities Patched in OpenSSL

Related: OpenSSL Vulnerability Can Be Exploited to Change Application Data

Related: High-Severity DoS Vulnerability Patched in OpenSSL

Related: OpenSSL Patches Remote Code Execution Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.