ADVISORY: Patch OpenSSL 3.0.0 - 3.0.6 for buffer overflow vulnerability

Tuesday, November 1, 2022

Updated 11-1-2022

This message is intended for U-M IT staff who are responsible for university systems running OpenSSL 3.0.0 - 3.0.6.

This advisory updates information provided in the ITS Information Assurance Alert from 10-31-2022. Specifics about the vulnerability announced on 10-31-2022 have been released. Please note this vulnerability has changed from critical to high.

Summary

A buffer overflow vulnerability has been found in versions of OpenSSL 3.0.0 - 3.0.6. Systems running OpenSSL 3.0.0 - 3.0.6 should be updated to OpenSSL 3.0.7 as soon as possible after appropriate testing.

Problem

A buffer overflow vulnerability in OpenSSL 3.0.0 - 3.0.6 may leave systems running those versions of OpenSSL  vulnerable to compromise including possible remote code execution (RCE). A patch for the vulnerability in OpenSSL 3.0.0 - 3.0.6 has been announced and should be applied asap after appropriate testing. This patch updates systems to OpenSSL 3.0.7.

Affected Versions

OpenSSL 3.0.0 - 3.0.6

Action Items

Check for installations of OpenSSL 3.0.0 - 3.0.6 on systems for which you are responsible. Test and apply the patch to OpenSSL 3.0.0 - 3.0.6 as soon as possible.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.