On Tuesday Nov 1st 2022, OpenSSL project will release a new version of the OpenSSL library (version 3.0.7) that will patch a CRITICAL issue in current versions (3.0 and above) of the technology.
The vulnerability that the patch addresses has not been disclosed and it will most likely be published at the same time as the update will become available. Hoxhunt will act immediately upon release of the update to protect all of its applications that use the OpenSSL library by updating to the new version. OpenSSL is a library considered standard in encrypting communications and the update will potentially affect many client and server applications throughout the Internet.
As we don’t know the exact release time for the library update nor the details of the vulnerability we are preparing to do multiple releases on Tuesday afternoon UTC, starting with the release of the library update.
Our service might be disrupted during the updates.
UPDATE 1st November 17:00 CET: OpenSSL project released OpenSSL version 3.0.7 to address two recently discovered vulnerabilities, CVE-2022-3786 and CVE-2022-3602. Both vulnerabilities were downgraded from CRITICAL to HIGH before their publication by OpenSSL project.
UPDATE 2nd November 13:00 CET: The anticipated OpenSSL update to version 3.0.7 was released yesterday evening at 17:00 CET accompanied by details of the vulnerabilities it fixed. In the release, the previously announced but unspecified critical issue was downgraded into two high severity issues.
Our engineering team continues to monitor the situation closely and applying patches and other mitigations where required.
We will now end the separate maintenance mode announced at https://status.hoxhunt.com/.
Impact of the vulnerabilities
Details of the potential impact to Hoxhunt and its customers will be summarized here once they are available.
OpenSSL Blog (link below) contains a good FAQ section for more information on the general impact of both vulnerabilities.
OpenSSL Release: OpenSSL version 3.0.7 released: https://mta.openssl.org/pipermail/openssl-announce/2022-November/000241.html
OpenSSL Security Advisory [01 November 2022]: https://www.openssl.org/news/secadv/20221101.txt
OpenSSL Blog: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/