Security Bulletin Owner - Pratik Savla - pratik.savla@venafi.com
Security Issue Summary –
OpenSSL is a library used for cryptographic purposes, especially in the field of network connections.
The OpenSSL team made a pre-announcement that, on November 1, 2022, they will release OpenSSL version 3.0.7. As per them, this release will fix a critical vulnerability in OpenSSL.
As per OpenSSL, a critical severity vulnerability is one that affects common configurations, and which is also likely to be exploitable. The examples they have cited are significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations.
What OpenSSL versions are vulnerable in this case?
Vulnerable -
- OpenSSL 3.0.x
Not Vulnerable -
- OpenSSL 1.1.1
- OpenSSL 1.1.0
- OpenSSL 1.0.2
- OpenSSL 1.0.1
- LibreSSL
Impact to Venafi Products -
Venafi R&D Team has evaluated and assessed all the supported releases of all the Venafi Products for any impact by this. No Venafi products were found to be vulnerable. This advisory will be updated with new information in the event new information becomes available.
Mitigation / Recommended Actions
No mitigation for Venafi Products is required at this time as all products are currently unaffected.
Venafi Security Advisory Status - GREEN
References
Comments