The OpenSSL Project, which maintains the widely used OpenSSL library, has revealed that an important vulnerability patch will be released on November 1st.

This is the first serious vulnerability patch for OpenSSL since 2016 and just the second in the project’s history. To limit the likelihood of cybercriminals reverse engineering the patch to construct an exploit, the full details of the vulnerability will be disclosed after the patch becomes available.

It’s believed that the issue does not impact OpenSSL versions before 3.0, with the patch included in the 3.07 release. This tends to imply that devices running versions before 3.0 (launched in 2021) are immune to the issue.

All versions after 3.0 are impacted

A concerned user took to Twitter to ask the organization why it disclosed the release of the patch prior to releasing the patch. Announcing a patch can allow cybercriminals to ‘scour’ the update history of a software project to find the vulnerability that’s to be fixed.

Mark Cox, former Red Hat head of product security and one of OpenSSL’s co-founders, tweeted that scouring is extremely improbable considering the number of changes in 3.0 and the absence of any additional context.

In 2016, the OpenSSL Project dealt with a bug that allowed RCE (remote code execution) for four days before being discovered and corrected. On the other hand, the newly disclosed vulnerability impacts all versions after 3.0, launched in September 2021.

Catastrophic consequences

OpenSSL is the world’s most used open-source encryption library. It’s used by the vast majority of HTTPS websites in addition to a variety of web servers. As a result, critical vulnerabilities can pose a danger to a broad spectrum of enterprises and personal online privacy.

According to OpenSSL Project policy, in the case of an upcoming patch to a bug classified as “critical,” the day and time of the patch’s availability are to be announced to all users. In addition, some organizations may be offered updates ahead of time, as well as briefs on the precise nature and severity of the problem.

Tip: Cybercriminals exploit critical vulnerabilities in Veeam Backup