The OpenSSL vulnerability disclosures (and fixes) are, thankfully, not nearly as bad as all the speculation would have led us to believe. Vendors and operators should update their dependencies on OpenSSL to 3.0.7 when it’s practical to do so, respecting normal change control procedures and taking into account the specific risk profile for those organizations. For most people, this is not actually the emergency situation we were all expecting.

Specifically, implementations that are configured for mutual authentication, where both the client and the server are providing OpenSSL-provided certificates for authentication, should definitely be fast-tracking this update. But, this is an unusual use case, so if you don’t know if you are supporting that or not, you’re probably not. For most installations, it’s okay to take your time with this one.