A critical vulnerability was discovered in current versions of OpenSSL affecting almost every organization. A fix is now out. Learn more about the vulnerabilities and what to do if you have been impacted.

In 2022, AWS (Amazon Web Services) remains one of the dominant cloud platforms and continues to be recognized as a leader in Cloud Infrastructure and Platform Services. AWS accounts for 34% of the cloud infrastructure service providers, so many organizations today have either all, most, or at least some of their infrastructure on AWS.

This is a work-in-progress blog post. It will be updated when more information is available. For more detailed information about the vulnerability, see the How the Critical OpenSSL Vulnerability may affect Popular Container Images blog post. A critical vulnerability with an expected high or critical severity rate of CVSS score is about to be announced on November 1st on the OpenSSL project. There are still no details besides an announcement on the OpenSSL mailing list on October 25th.

The big news this week is that a new CRITICAL OpenSSL vulnerability will be announced on November 1st, 2022. Critical-severity OpenSSL vulnerabilities don’t come along every day – the last was CVE-2016-6309, which ended up only affecting a single version of the software. The more famous vulnerability, known as Heartbleed, came out in 2014. Will this be more like Heartbleed or the vulnerability in 2016? We will soon find out.

Understand what steps your organization needs to take now to prepare for the upcoming patch to address OpenSSL’s critical security vulnerability on November 1. Security experts are giving organizations advance disclosure of a critical vulnerability discovered in OpenSSL version 3.0 and above, leaving many to speculate about the potential impact to their organization.

OpenSSL.org has announced that an updated version of its OpenSSL software package (version 3.0.7) will be released on November 1, 2022. This update contains a fix for a yet-to-be-disclosed security issue with a severity rating of “critical” that affects OpenSSL versions above 3.0.0 and below the patched version of 3.0.7, as well as applications with an affected OpenSSL library embedded.

OpenSSL is the most popular implementation of the TLS protocol (Transport Layer Security) which is essentially the de-facto security protocol of the internet today. The OpenSSL team announced critical security updates of versions above version 3.0 (OpenSSL 3.0 was released on September 7, 2021). The myriad of projects and software depending on OpenSSL must update and release a new version to enable end users to start patching their systems.

Fuzzing is a software security testing technique that automatically provides invalid and random input to an application to expose bugs. The goal of fuzzing is to stress the application to cause unexpected behavior, crashes, or resource leaks. It allows us, as developers, to understand the behavior and vulnerability of applications more comprehensively. We use fuzzing tools, referred to as fuzzers, to perform this kind of testing.

Read also: Apple fixes yet another iOS zero-day, Iranian atomic energy agency hit by hackers, and more.