ALERT: Patch OpenSSL versions 3.0 or later for critical vulnerability starting Nov. 1


This message is intended for U-M IT staff who are responsible for university systems running OpenSSL 3.0 or later.


A critical vulnerability has been found in versions of OpenSSL 3.0 or later. Systems running v.3.0 or later should be updated to OpenSSL 3.0.7 as soon as possible after appropriate testing, when the update is made available on November 1, 2022.


A patch for a critical vulnerability in OpenSSL versions 3.0 or later has been announced. The patch will be released on November 1. Specifics about this vulnerability will not be released until the patch is available, but this is only the second time OpenSSL has ever categorized a vulnerability as "critical". The only other time was the vulnerability known as "Heartbleed," which allowed an attacker to easily read sensitive data from memory on impacted devices. Because of the "critical" rating of this vulnerability, ITS IA is asking that anyone running a system using OpenSSL 3.0 or later be ready to test and patch as quickly as possible.

Affected Versions

OpenSSL 3.0 or later

Action Items

Check for installations of OpenSSL v.3.0 or later on systems for which you are responsible. Prepare to test and apply the November 1 patch as soon as possible after it is released.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.