Action Required: critical vulnerability in OpenSSL v3, patch to be released tomorrow

OpenSSL developers have released a notification about a critical vulnerability discovered in version 3 of OpenSSL. This vulnerability will be fixed in version 3.0.7 which is expected to be released tomorrow, Tuesday November 1st, between 13:00 and 17:00 UTC.

Please note that this vulnerability does not affect DHIS2 directly but may impact the server on which DHIS2 is deployed in certain circumstances.

At this time, no additional information has been released by the OpenSSL team. We will update this post as soon as more information is made available.

On Unix operating systems, including Ubuntu or any other flavor of Linux, you can verify which version of OpenSSL you have installed by running the following command in your terminal:

$ openssl version

If you are running any version between 3.0.0 and 3.0.6 please upgrade as soon as the patch is released!

To download the latest version of OpenSSL, refer to the official OpenSSL download page. If your operating system provides a package manager you may also be able to use it to upgrade your OpenSSL, but please ensure that you confirm the version number after installing as new versions may not be immediately available in operating system package repositories.

Vulnerabilities rated as “critical” by the OpenSSL team may allow an attacker to gain remote access to systems running common configurations and can be quickly exploited to compromise a large number vulnerable systems exposed to the internet.

You can read the official announcement of the vulnerability on the OpenSSL website here

5 Likes

Advisory for the mentioned OpenSSL vulnerability has been released.

In light of further testing, OpenSSL has downgraded the rating from “critical” to “high”. Still, we recommend to upgrade OpenSSL to version 3.0.7 as soon as possible.

2 Likes