The critical Heartbleed vulnerability in OpenSSL in 2014 widely affected both server and client programs, causing numerous security issues. As software, the existence of vulnerabilities is inevitable. Thanks to OpenSSL being open source, the vulnerabilities were quickly fixed after the researchers notified them.
Now OpenSSL has a new major security problem. The specific problem is not clear for the time being. The OpenSSL project team has issued
a notice in advance to remind developers and enterprises to prepare for updates.
Specifically, OpenSSL version 3.0.7 will be released between 13 and 17:00 UTC on November 1, 2022, when the OpenSSL project will announce the vulnerability CVE number and other vulnerability details. The highest severity vulnerability fixed in OpenSSL is critical. According to the security policy, CRITICAL severity “affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.”
However, according to security experts, this vulnerability seems to only affect OpenSSL versions 3.0~3.0.6. But according to OpenSSL’s own statistics, most enterprises are still in OpenSSL 1.x version. It is important to remind you that only version 1.1.1 is also eligible for LTS long-term support, other versions have been unable to update, so the bugs will not be fixed.
The OpenSSL 1.1.1 update will also be rolled out simultaneously on November 1, and it will take a few days to see if it is affected.
Whether developers and businesses are using Linux, Windows, or other operating systems, they need to be prepared for updates to avoid the Heartbleed vulnerability again. The server will be hacked if the update was not timely.