Organizations have five days to prepare for what the OpenSSL Project on Oct. 26 described as a "critical" vulnerability in versions 3.0 and above of the nearly ubiquitously used cryptographic library for encrypting communications on the Internet.
On Tuesday, Nov. 1, the project will release a new version of OpenSSL (version 3.0.7) that will patch an as-yet-undisclosed flaw in current versions of the technology. The characteristics of the vulnerability and ease with which it can be exploited will determine the speed with which organizations will need to address the issue. Major operating system vendors, software publishers, email providers, and technology companies that have integrated OpenSSL into their products and services will likely have updated versions of their technologies timed for release with the OpenSSL Project's disclosure of the flaw next Tuesday. But that will still leave potentially millions of others - including federal agencies, private companies, service providers, network device manufacturers, and countless website operators - with a looming deadline to find and fix the vulnerability before threat actors begin to exploit it.
If the new vulnerability turns out to be another Heartbleed bug - the last critical vulnerability to impact OpenSSL - organizations and indeed the entire industry are going to be under the gun to address the issue as quickly as possible.
