Introduction

Details of a critical vulnerability in OpenSSL will be published on 1st November 2022 between 1300 and 1700 UTC [1]. The vulnerability only affects version 3.x of OpenSSL.

OpenSSL is a widely used library for encrypting network traffic. OpenSSL rates the vulnerability as critical [2]. Papirfly has no more information about the vulnerability than what OpenSSL itself has published.

What we have done

• Reviewed all Pairfly services available on the public Internet to find any potential usage of OpenSSL 3.x
• Prepared to patch any services that may be vulnerable
• Prepared to take any services offline until they are patched, if they are determined to be vulnerable

What we have found

• None of our services use OpenSSL 3.x

What we are doing

• Waiting for OpenSSL to publish details of the vulnerability

References

• [1] https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
• [2] https://www.openssl.org/policies/general/security-policy.html