Vulnerability in OpenSSL: prepare for updates

A critical vulnerability has been found in OpenSSL 3.0. The OpenSSL development team has announced that they will release version 3.0.7 on Tuesday, Nov. 1, 2022. This new version will fix the vulnerability. The vulnerability is not present in versions lower than 3.0. Versions 1.1.1 and 1.0.2 are therefore not affected by this problem.

OpenSSL is among the most widely used software components for encrypting network connections. The NCSC recommends mapping which software within your organization uses OpenSSL. Prepare your organization to patch relevant software immediately as soon as updates are available.

To assist organizations in mapping vulnerable systems, the NCSC has set up a Github page that maintains an overview of products that use OpenSSL. Where possible, it indicates which products are using a vulnerable version. The NCSC will actively maintain this Github page in the near future.

No further information about the vulnerability is available at this time. It is unknown to the NCSC whether the problem exists in one or more 3.0 versions and whether abuse has already occurred. As soon as the patch or relevant information becomes available, the NCSC will issue a security advisory.