The OpenSSL Project team has released the patch for a significant security vulnerability identified within version 3 of the OpenSSL library.
On November 1, 2022, the OpenSSL Project team announced that they released the patch for a significant security vulnerability identified within version 3 of the OpenSSL library.
OpenSSL is a cryptographic software library that offers an open-source implementation of SSL/TLS protocols. It is used by vast numbers of applications, operating systems, and devices throughout the internet. Therefore, this vulnerability is likely to be extremely wide-reaching, and the update must be made immediately.
This vulnerability does not affect Sectigo certificates in any way, and therefore, no Sectigo certificates need to be revoked or replaced.
The patch fixes two bugs that were identified in these versions of OpenSSL: 3.0.0 to 3.0.6. Both bugs have to do with international domain names (non-ASCII characters), triggered by specifically malicious email addresses in digital certificates. It is also important to note that this patch was downgraded from ‘critical severity’ to ‘high severity,’ though it is still crucial that the update be made today.
According to OpenSSL, details of the bugs include:
Both of these vulnerabilities were fixed in OpenSSL 3.0.7. View the full details here and read OpenSSL’s blog post.
It is crucial enterprises that use OpenSSL 3.0.0 to 3.0.6 update their systems immediately, as these high severity vulnerabilities are likely to rapidly become targets. Please ensure the cybersecurity teams within your organization are aware of this vulnerability and are prepared to deploy the OpenSSL patch today.
You can also learn more about the vulnerability by listening to Root Causes 253: OpenSSL Vulnerability Explained.