A critical OpenSSL vulnerability has been disclosed for OpenSSL v3.0 and above.
The OpenSSL project team have released a patch for the vulnerability – OpenSSL version 3.0.7, on 2 November 2022 NZDT. The announcement can be found here.
OpenSSL can be included in operating systems, network devices and software. The following distributions may include OpenSSL 3 by default:
- CentOS Stream 9
- Red Hat Enterprise Linux 9 (RHEL 9)
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Fedora Rawhide.
Update 2 November 2022: There are two vulnerabilities related to this advisory, CVE-2022-3786 and CVE-2022-3602. The highest rating of the vulnerabilities has been reclassified downward from a CRITICAL to HIGH. This reclassification is due to many modern platforms having protections, preventing the attacker from exploiting the vulnerability. For more detailed information, please refer to OpenSSL’s blog post found here.