This message is intended for U-M IT staff who are responsible for university systems running OpenSSL 3.0 or later.
Summary
A critical vulnerability has been found in versions of OpenSSL 3.0 or later. Systems running v.3.0 or later should be updated to OpenSSL 3.0.7 as soon as possible after appropriate testing, when the update is made available on November 1, 2022.
Problem
A patch for a critical vulnerability in OpenSSL versions 3.0 or later has been announced. The patch will be released on November 1. Specifics about this vulnerability will not be released until the patch is available, but this is only the second time OpenSSL has ever categorized a vulnerability as "critical". The only other time was the vulnerability known as "Heartbleed," which allowed an attacker to easily read sensitive data from memory on impacted devices. Because of the "critical" rating of this vulnerability, ITS IA is asking that anyone running a system using OpenSSL 3.0 or later be ready to test and patch as quickly as possible.
Affected Versions
OpenSSL 3.0 or later
Action Items
Check for installations of OpenSSL v.3.0 or later on systems for which you are responsible. Prepare to test and apply the November 1 patch as soon as possible after it is released.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- Second-ever OpenSSL critical vulnerability teased, 10 years after Heartbleed (IT Pro, 10/28/22)
- Prepare Now for Critical Flaw in OpenSSL, Security Experts Warn (Dark Reading, 10/27/22)
- Incoming OpenSSL critical fix: Organizations, users, get ready! (Help Net Security, 10/26/22
- OpenSSL Deems Vulnerability ‘Critical’, Will Publish Patch Tuesday (Security Boulevard, 10/31/22)
- Discovering the Critical OpenSSL Vulnerability with the CrowdStrike Falcon Platform (Crowdstrike Blog, 10/28/22)