Am I affected?
At this moment it seems that OpenSSL versions between 3.0.0 and 3.0.6 and applications using the OpenSSL library within the affected versions are vulnerable.
OpenSSL 3.x was released just about one year ago: OpenSSL 3.0 Has Been Released! - OpenSSL Blog; container images, distributions and software released before this date are unlikely to be affected.
OpenSSL can be installed through a package manager that install it in well-known locations and configure it at system level, or it can be downloaded on the system as a compiled binary or even compiled locally from source code. These different approaches don’t allow to list all possible ways to detect the versions of OpenSSL installed on the system.
LibreSSL is not affected by this vulnerability (oss-security - Re: Forthcoming OpenSSL Releases).
BoringSSL, not affected.
These documents list the known software that are confirmed to be affected and not affected:
Proper vulnerability management relies on preparing an inventory of components present in your environment and modules that compose your applications. This case is no different. Being aware of the vulnerable assets will help speed up the remediation once the remediated version of the library is available.
As suggested by OpenSSL security team on their blog post, please update to latest version 3.0.7 or obtain an updated copy from your operating system vendor or third party provider.
How Veracode helps you to address this problem:
If you have bundled OpenSSL in your applications, our Software Composition Analysis (SCA) product can help you quickly verify whether an application portfolio that you’re scanning with us is affected.
To verify whether your applications are using vulnerable versions of OpenSSL, log in to the Veracode Platform. Check versions of OpenSSL that are dependencies of your applications by following these guides: https://docs.veracode.com/r/c_SCA_comps