Today the OpenSSL project team released a “security-fix” (version 3.0.7) to address a high-level critical vulnerability in versions 3.0 and above. OpenSSL is a commonly used open-source software library, so vulnerabilities in OpenSSL have the potential for high disruption. However, version 3.0 was released in September 2021, so only those using the recent version 3.0 and higher are affected. Any applications using older versions are not impacted by this vulnerability. Check which version of OpenSSL you are using with our guide. For a full list of the software affected and not affected by this vulnerability, check here: https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software.
OpenSSL originally labeled CVE-2022-3602 as the highest severity of "critical," which OpenSSL defines as a vulnerability that “affects common configurations and which are also likely to be exploitable.” But it has been downgraded to "high" severity, which OpenSSL defines as “of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable.” However, it should still be upgraded as soon as possible.
There is no known impact to DigiCert customers or DigiCert operations.
Currently, OpenSSL is not aware of any existing exploits of this vulnerability. According to OpenSSL, “Any OpenSSL 3.0 application that verifies X.509 certificates received from untrusted sources should be considered vulnerable. This includes TLS clients, and TLS servers that are configured to use TLS client authentication.” Replacing TLS/SSL server certificates will not be necessary.
Companies are advised to scan their systems for uses of OpenSSL 3.0 and above, and if you find any instances, you should upgrade to 3.0.7 as soon as possible. Additionally, if you use third-party applications, you should check with vendors to see if they use OpenSSL 3.0 and above and request that they also patch where necessary. Finally, any new applications should use OpenSSL 3.0.7.
Applications using OpenSSL versions prior to 3.0 do not need to immediately update, but managers should be aware that OpenSSL 1.1.1 will only be supported until Sept. 11, 2023. Additionally, OpenSSL recommends that all users update to the latest version.
Please reach out to your account rep if you have any further questions.
Learn more about this release on the OpenSSL blog.