Upcoming Critical OpenSSL Vulnerability

This incident has been resolved.

We are continuing to work on a fix for this issue.

What is it?
The OpenSSL Project will release a security fix (OpenSSL version 3.0.7) for a new-and-disclosed CVE on Tuesday, November 1, 2022. This CVE is categorized as “CRITICAL” and affects all OpenSSL versions after 3.0.

Who is impacted?
Users running newer operating systems (OpenSSL versions after 3.0) and application stacks like NodeJS.
Linux Distro OpenSSL Version
CentOS Linux release 7.9 1.0.2
CentOS 8 (1.1.1)
CentOS Stream 9 (3.0.1)
Debian 11 (bullseye) (1.1.1)
Eneavour 2022.09.10 (1.1.1)
Fedora 34 (1.1.1)
Fedora 35 (1.1.1)
Fedora 36 (3.0.5)
Fedora Rawhide (3.0.5)
Kali 2022.3 (3.0.5)
Linux Mint 21 Vanessa (3.0.2)
Mageia 7 (1.1.1)
Mageia 8 (1.1.1)
Mageia Cauldron (3.0.5)
OpenMandriva 4.3 (3.0.3)
OpenMandriva Cooker (3.0.6)
OPNsense 22 1.1.1
OpenSuSE Leap 15.2 (1.1.1)
OpenSuSE Leap 15.3 (1.1.1)
OpenSuSE Leap 15.4 (1.1.1)
Proxmox 6 1.1.1
Redhat ES 9 3.0
Rocky Linux release 9.0 (Blue Onyx) 3.0.1
Slackware 14 1.0.1
Ubuntu 20.04 (1.1.1)
Ubuntu 22.04 (3.0.2)

Node.js v18.x and v19.x use OpenSSL v3. Therefore these release lines are impacted by this update.

References
https://isc.sans.edu/forums/diary/Upcoming+Critical+OpenSSL+Vulnerability+What+will+be+Affected/29192
https://www.globalsign.com/en/blog/urgent-patch-openssl-november-1-avoid-critical-security-vulnerability
https://nodejs.org/en/blog/vulnerability/openssl-november-2022/