HC3 TLP White: Sector Alert - Critical OpenSSL Vulnerability Will Require Action by Healthcare Organizations

Executive Summary

A software library called OpenSSL – used with many of the most common operating systems and applications for secure communications – is going to receive an important update on Tuesday, November 1, 2022. OpenSSL is deployed across industries ubiquitously, including the health sector. HC3 highly recommends all public and private heatlh sector organizations identify all instances of OpenSSL in their infrastructure and prepare to test and deploy the patch as soon as it is released.

Report

OpenSSL is an open-source cryptographic library used with many of the most common operating systems and applications to implement Transport Layer Security and its predecessor protocol, Secure Sockets Layer for security in communicating with web and other Internet-facing servers. An announcement by the OpenSSL Project (can be found here) on October 25 noted that a new version of OpenSSL (version 3.0.7) would be released on Tuesday 1st November 2022 between 1300-1700 UTC. This update will contain a patch for a vulnerability classified as critical. It is very rare for the OpenSSL Project to classify a vulnerability as critical. As of the release of this alert, no further technical details exist on this vulnerability. The protection of technical details by the OpenSSL Project is likely deliberate to reduce attempts to identify and exploit this vulnerability prior to patch release on November 1.

View the detailed report below.