Updated: November 1st 2022, 23:06 UTC
In an official statement, the OpenSSL project team announced the forthcoming release of their next version which was released on Tuesday November 1st 2022. This release includes a fix for a security vulnerability, originally marked as CRITICAL but lowered to HIGH.
The vulnerabilities (CVE-2022-3602 and CVE-2022-3786) affect OpenSSL version 3.0.0 and later and have been addressed in OpenSSL 3.0.7.
CVE-2022-3602 is buffer overflow that could trigger DoS or remote code execution (RCE), while CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a DoS using a buffer overflow.
If all traffic to your application is routed through open-appsec your application is secure, without any updates, even when your protected web server uses a vulnerable OpenSSL library. We do recommend however to update vulnerable versions of OpenSSL on your servers nevertheless.
open-appsec deployment package does not bring OpenSSL, but rather installs one during setup. Unless manual changes were done, the default OpenSSL library installed during deployment will be 1.1.1, which is not vulnerable.