This high-severity vulnerability affects the OpenSSL version 3.0 series. If you’re using an earlier version of OpenSSL (i.e., anything 3.X.X) on your server or platform, then this CVE doesn’t affect you

If your web servers or other systems use Openssl version 3.X.X, you’ll want to update to version 3.0.7 immediately. The OpenSSL Project released an update that addresses a high-level vulnerability in the version 3.0 series of their open source library and command line tool. If you saw similar headlines over the last week, you may have noticed that there was a critical vulnerability that they said they’d fix in the OpenSSL version 3.0.7 release on Nov. 1. However, the good news is that this common vulnerability exploit (CVE-2022-3602) has been downgraded to a high-severity vulnerability instead.

If the Project stuck with the original critical ranking, it would have made this the second critical severity vulnerability they’ve announced since 2014 (when the organization started ranking them). Remember the OpenSSL Heartbleed bug? Yeah, that was the reason why the OpenSSL Project started ranking the severity of these vulnerabilities in the first place.

Now, don’t misinterpret what we’re saying — this OpenSSL vulnerability is still a serious issue that you need to address quickly. Knowing this, we’ll jump right to what you need to know about CVE-2022-3602.

Let’s hash it out.

The post OpenSSL Issues Update to Fix Formerly ‘Critical’ Vulnerability Nov. 1 appeared first on Hashed Out by The SSL Store™.