Everyone depends on OpenSSL. You may not know it, but OpenSSL is what makes it possible to use secure Transport Layer Security (TLS) on Linux, Unix, Windows, and many other operating systems. It's also what is used to lock down pretty much every secure communications and networking application and device out there.
So we should all be concerned that Mark Cox, a Red Hat Distinguished Software Engineer and the Apache Software Foundation (ASF)'s VP of Security, this week tweeted, "OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC."
How bad is "Critical"? According to OpenSSL, an issue of critical severity affects common configurations and is also likely exploitable.
It's likely to be abused to disclose server memory contents, and potentially reveal user details, and could be easily exploited remotely to compromise server private keys or execute code execute remotely. In other words, pretty much everything you don't want happening on your production systems.
But couldn't a hacker find it and exploit it as a zero-day? He doesn't think so. "Given the number of changes in 3.0 and the lack of any other context information, such scouring is very highly unlikely."
If you're a Linux user, you can check your own system by running the shell command:
# openssl version
In my case, my laptop in front of me is running Debian Bullseye, which uses OpenSSL 1.1, so this machine is good.
But, if you're using anything with OpenSSL 3.x in -- anything -- get ready to patch on Tuesday. This is likely to be a bad security hole, and exploits will soon follow. You'll want to make your systems safe as soon as possible.